Amazon Quietly Wades Into the Passkey Waters

Amazon has silently rolled out passkeys for shoppers and streamers, following other tech giants like Google and Microsoft into the next-gen cloud authentication fray.

The concept of passkeys is familiar to most users, thanks to FaceID and TouchID for Apple devices, digital fingerprint scanners on laptops, screen-lock PINs, and other forms of passwordless unlocking mechanisms for hardware devices. In recent months, that same concept has made its way to cloud services, websites, and apps, with everyone from Uber to OnlyFans allowing users to sign into their cloud-based accounts using the same device-based technology. Enterprises are also eyeing passkeys for internal use.

Corbado co-founder Vincent Delitz first noticed and publicized the addition for Amazon users, noting that, "given Amazon's vast user base, this rollout is set to familiarize a large segment of non-tech-savvy users with the benefits of passkeys. The ease of use might convince these users to demand passkeys from other online platforms as well."

However, he did flag a few glitches with Amazon's passkey implementation, including the odd choice not to include passkey support for Amazon native mobile apps (that goes for the e-commerce app as well as Prime Video); the need to configure separate passkeys for each country or top-level domain; not including passkey autofill; device management challenges; and other quibbles. Amazon did not immediately return a request for comment from Dark Reading on the matter.

Still, the rollout — along with Google's announcement last week that it will make passkeys its default sign-in mechanism — greatly amplifies the drumbeat, for once and for all, to move beyond passwords and even basic forms of two-factor authentication, such as SMS-based, one-time codes. Eduardo Azanza, CEO at Veridas, sees nothing but security upside in the development.

"Biometrics are tied to a user's physical characteristics and therefore cannot be compromised as easily by cybercriminals. And, security teams are able to quickly detect instances of fraud, identity theft and spoofing," he said in emailed comments. "The roll-out of passkeys by Amazon is a strong message that the big tech firms know that it is time to end the password."

He added, "[We are] shifting the paradigm away from the presumption of 'what we know' or 'what we have,' which is how passwords have worked so far, to 'who we are': people with unique qualities that cannot be duplicated."