Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is password still needed when using Passkeys?

Tags:

webauthn

fido

password-less

passkey

Both Apple and Google have demonstrated Passkeys at their developer conferences (Google I/O and Apple WWDC 2022), and Microsoft is also on board. Being able to transfer passkeys from device to device removes a major limitation of FIDO2/WebAuthn and will likely be the breakthrough.

However, in their presentations both Apple and Google demonstrated the passkey setup on top of an account with username and password. Once the passkey was created, login was possible without password.

  • Does Passkey really require an existing account with password?
  • Or is this just temporarily needed for account setup?
  • Or can a user register a new account with just username and passkey and really go password-less?
like image 740
Codo Avatar asked May 16 '26 09:05

Codo

2 Answers

Great questions – we've been working on finding good answers since WebAuthn Platform Authenticators (and now passkeys) have been announced.

tl;dr:

  • Passkeys do not require a password; passkeys and passwords can coexist, but do not require each other
  • Passwordless accounts that are protected only by one ore more passkey(s) are the clear goal and will become a reality once passkeys are fully supported on all platforms

BUT you have to take into account what your average user knows about authentication and what they expect when they want to create an account or login to your app or website.

We frequently hear from users as well as service providers things like:

  • "How can my account be secure if I don't need to enter a password??"
  • "I don't want this website to see my fingerprint" (which of course will never happen, but is still the #1 user concern with WebAuthn)
  • "I lost my phone (and therefore my passkeys) and want to sign in, where can I enter my password?"
  • "I'm still on Windows 7 and can't use passkeys"

Ultimately, it would just not be a good idea to offer only passkey-based authentication for any production login today. In a few years things will look different, but for now the only sensible approach is to offer a regular login with a passkey alternative (on supported devices). Slowly, users will get to know the technology and the term passkey from the big account providers (Apple, Google, MS, Amazon, ...) and the typical username/password login form will be degraded to a fallback/recovery method and hopefully be completely gone someday.

like image 174
FlxMgdnz Avatar answered May 19 '26 03:05

FlxMgdnz

Passkeys does requires an account. However, it doesn’t require a password because biometrics is used in authentication. I added passkeys to my site using OwnID API https://youtu.be/DAJHaUbHs44

like image 28
EvilGG Avatar answered May 19 '26 03:05

EvilGG

Sign in to Comment

Related questions

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!