Three Common Mistakes with Passkey Implementations

Grace Lu
August 22, 2023

A growing number of popular consumer apps are rolling out passkey logins for their users, with Paypal, Tiktok, and WhatsApp all announcing support for this form of passwordless authentication in the last month. However, it is becoming clear that even well-resourced identity teams are struggling to create seamless implementations in-house.

While passkeys can provide better security and an improved user experience over traditional password-based logins, poor implementations can backfire and erode user trust. In this post, we’ll highlight three common issues we see with passkey implementations and how Passage can help solve them.

1. Cross-Platform Passkey Detection and Usability

Picture this real and common scenario: a user creates a passkey for your service on their computer. But when they try to log in from their smartphone, their attempt fails, and there is no acknowledgment that a passkey was created in the first place, leaving them confused and frustrated. Poor cross-platform compatibility like this is one of the most glaring mistakes in passkey implementations.

The lack of uniformity can lead to abandoned accounts, forgotten passkeys, and a general distrust of passkeys and your business. Many teams struggle to solve this problem, leading to implementations that are confined to a single platform (WhatsApp only supports passkeys on Android, Tik Tok on IOS, etc). But if your business does not have the resources for quarter-long efforts in building and testing across all major platforms, there is another way.

Passage allows you to add passkey logins to your app or website with just a few lines of code and seamlessly handles the cross-platform complexity by default. As a service layer between your app and the underlying passkey APIs, Passage detects edge cases across devices and browsers and provides seamless fallbacks to other passwordless methods when passkeys aren’t going to work.

2. Retaining Control of Recovery Flows

When a user loses their device or access to their passkey, the recovery process should be intuitive and secure. However, there are two key issues that companies have when figuring out passkey recovery:

  • Default passkey flows offload recovery to platforms like Apple, Google, and Microsoft. But this means that if a bad actor gains access to a user’s platform they also gain access to all of their third-party accounts secured by passkeys. Even with biometric unlock lots of companies aren’t comfortable with this. 
  • Falling back to other passwordless methods for recovery is a better option, but this can be challenging to implement. Because of this many products default back to easily hackable security questions, secondary email addresses, or password reset flows, completely mitigating the security benefits of passkeys. These methods are also a pain for users to set up during onboarding.

As an authentication service, Passage allows businesses to bootstrap account recovery in a way that works for their business but maintains strong passwordless security. Companies can choose their recovery flow such as magic links, TOTP, or a passkey regeneration - without the need to build or implement any additional infrastructure.

By empowering businesses to tailor their recovery mechanisms to their preferred UX and security standards, Passage allows for seamless recovery without long build cycles and lessens the burden on customer support teams for account recovery.

3. Keeping Pace with Platform Updates on Passkey Support

The digital landscape is constantly evolving, with new platforms, devices, compliance requirements, and security standards rolling out all the time. Maintaining compatibility and support for passkeys across all these changes can be a formidable challenge. When we spoke to a large payment platform on their biggest struggle with passkeys, they replied that Chrome was constantly breaking their implementation with new updates, leaving them scrambling to rebuild.

If your team doesn’t have the resources to detect and maintain bugs and additional platform requirements in-house, offloading to a service that focuses solely on smooth authentication can be a wise business decision. Passage takes on the burden of maintenance, and as a FIDO board member along with Google, Apple, and Microsoft, we learn of platform updates early and build for forward and backward compatibility.

In conclusion, passkeys will play a pivotal role in the future of securing our digital identities, especially in a world where AI can brute force more than 50% of passwords. But implementing this new technology is not easy. Passage addresses these challenges and allows organizations to future proof their authentication with just a few lines of code. Want to learn more? Let's chat.