New Developer Tools Necessary to Boost Passkey Adoption

The passwordless technology known as passkeys remains esoteric, far from widespread adoption, and confusing to consumers. They are also inevitable.

Based on the WebAuthn standard created by the World Wide Web Consortium (W3C) and the FIDO Alliance, passkeys are a way of signing into services without passwords, using device-based authentication and public-key encryption instead. Many major websites and identity ecosystems have embraced the technology, including Apple, Google, and Microsoft, which support passkeys in some of their services. Google also released its Credential Manager for Android in November to support passkeys across different identity ecosystems, such as 1Password and Enpass. And technology companies and tools vendors are rolling out developer services and toolkits designed to help developers implement passkeys in their websites and Web applications.

To really change the landscape, however, smaller sites — and their developers — have to adopt passkeys as well, says Anna Pobletts, head of passwordless technology at 1Password.

"For developers, in particular, they are so critical to making passkeys successful because they're the ones who are ultimately going to build the features into sites," she says. "And passkeys, they're just a lot more complicated [to implement] than passwords, so we have to give developers more help and more tools and more resources."

Stytch, an authentication infrastructure provider, recently rolled out tools that help developers add passwordless authentication to their applications — the idea being that the experience should be similar to how Stripe made it easier to add payment processing to applications. Identity providers such as Bitwarden and 1Password also have tools that interface with different passkey ecosystems, including their own. And major platforms, such as Google, offer guidance to developers about how to implement passkeys.

More Security, But Hard to Implement

Passkeys use public key cryptography to exchange and validate a secret through a mechanism defined by the WebAuthn standard, relying on a device's own security capabilities — or those of a hardware key — to authenticate the user and pass that information to the website. Any device that uses Apple's iCloud Keychain, for example, could be logged into using the same set of passkeys, and any device that has 1Password's password-vault application installed could be accessed using passkeys saved to that ecosystem across platforms.

When a passkey is generated, the user's device stores a private key and sends a public key to the website, which saves the key during registration. When a user wants to access the website, the site passes a long random string to the user, whose device — after authenticating the user — encrypts the string with their private key. The encrypted information is sent to the website, which then decrypts the string with the public key, authenticating the user.

Making all of this not only easy for people to use but for developers to implement is critical, says Reed McGinley-Stempel, CEO and co-founder of Stytch.

"One of the big things is passkey configuration. How do you make that dead simple for developers so they don't need to become one of the experts?" McGinley-Stempel says. "There's much more to think about when you go from passwords to passkeys, especially how you handle post-authentication UI for managing passkeys."

Another developer challenge: allowing secure mechanisms to recover access to a website if a device is lost.

Soon Supported Everywhere?

Despite the challenges, developers are very interested in adopting passkeys for their websites and cloud applications. Overall, 83% of developers are currently working on implementing passkeys for a customer and 68% have personally used passkeys for work, according to Bitwarden's "Developers Survey 2024." That's understandable, considering that the number of successful logins goes up and the number of password resets goes down when using passkeys.

If tools can make implementing passkeys simpler, then developers and website owners can benefit from the easier security mechanism, says Gary Orenstein, chief customer officer at Bitwarden.

"If they can have a higher successful login rate, great, more time in the app. If they can reduce password resets, great, more time in the app," he says. "A lot of the problems that developers have had to deal with as an industry in the past with traditional login-password mechanisms are getting streamlined to where that becomes just just less problematic than it may have been in the past."

With developer services and toolkits rolling out and a maturing infrastructure, passkeys will be available on more sites and applications in the coming months. It is hard to figure out the exact number of websites and applications that currently support passkeys. Passkeys.io lists 18 major sites that support passkeys, including well-recognized brands, such as WhatsApp and Amazon; 1Password's Passkeys.directory lists 92 sites, including BestBuy, DocuSign, eBay, Okta, and Uber.

"When each one of those big announcements comes out ... we get a spike in interest from developers and customers," Stytch's McGinley-Stempel says. "It's kind of this compounding effect. ... It's hit the inflection point, which WebAuthn itself never hit, because you solved these technical issues [and it's being adopted by] these big, well-respected consumer experiences."