Say goodbye to passwords: The rise of Passkeys

Today, we are publishing part one in a four-part blog series on the state of passwordless authentication in the year 2023. This first blog will focus on the newest kid on the block which is, of course, Passkeys. Following Google’s announcement around Passkey support for their consumer accounts (Passkeys: What they are and how to use them), it seems like the wait for widespread adoption opportunities of the long-anticipated extension to WebAuthn is finally over. 

What are Passkeys?   

Passkeys are an extension to the WebAuthn standard, which takes the same great user experience of being able to use device-based biometrics to authenticate to web applications and makes this capability portable across multiple devices. At OneLogin, we have supported WebAuthn as an authentication factor on our platform since 2019. The convenience of using this factor to authenticate to access-protected resources is unmatched by any other solution out there. However, the complaint from adopters, up to now, was always the same: “I can only use this factor on the device where the credential was registered. What happens when I also need to use another device without a biometrics capability?” That’s where passkeys come in.  

Passkeys can be used anywhere by syncing an encrypted version of the Passkey across all of your devices on a single platform (e.g., Apple) and for any devices you need to use that are either not part of that platform or where Passkeys are not yet available, you can use a Passkey stored on your phone to authenticate to the particular service by simply scanning a QR code and performing touch ID/face ID to trigger the sharing of the Passkey to the other device (this happens over Bluetooth, which brings in another security control – proximity).  

For full details on what Passkeys are and how they work, please see the excellent information available from the FIDO Alliance organization.  

OneLogin Passkeys support 

We are pleased to announce that OneLogin customers can now leverage Passkeys to authenticate to protected resources via our existing WebAuthn authentication factor. Passkeys can now be used to authenticate to access-protected resources as a second factor in a traditional sign in flow, the first factor in a brute force protection flow or as the only factor in a passwordless flow. The registration of the Passkey must take place on a supported operating system. To use the Passkey to authenticate to OneLogin, a supported browser must be used. For a full matrix of supported devices, visit the site.   

Passkeys are not a perfect solution for every environment (if ever such a thing existed!) as there are many cases where they probably will never be leveraged (i.e., devices with Bluetooth disabled/blocked, legacy operating systems, virtual desktop environments, environments where mobile phones are not permitted, etc.), but we think this capability will eventually be a significant game changer in the drive to increase adoption of passwordless authentication solutions, particularly in the Customer and Identity Access Management (CIAM)/consumer space.  

Stay tuned for some new KB articles in our knowledge base on how to set up and use Passkeys with OneLogin. 

Benefit now from Google Passkeys with OneLogin Trusted IdP  

As mentioned at the beginning of this blog, the announcement from Google on the launch of their Passkeys capability is also significant for application owners who allow social sign up and sign in to their applications using Google as an identity provider. Applications using OneLogin for their CIAM solution can now also benefit from the rollout of Passkeys to Google accounts, courtesy of our Trusted IdP capability. The rollout of Passkeys to Google consumer accounts now makes it even easier for new users to sign up and sign in to any CIAM applications using OneLogin, as our existing Social Sign-in integration to Google via our Trusted IdP capability fully supports the use of Google Passkeys. 

Below is an example of how the user experience looks for a new user signing up for a CIAM application using their Google account and a Passkey via the OneLogin Trusted IdP capability.  

In this second example, we show the experience of a user using their existing Passkey with Google and then registering a second Passkey with OneLogin in a fully passwordless authentication flow. 

Why not try out the OneLogin Trusted IdP integration to Google with Google Passkeys for yourself? Please visit our new CIAM Demo application (Change the App Configuration to the “Gaming” App Theme in the bottom left corner and select “Sign In” and the “Sign Up with Google” option will be visible.)  

Migrate your users to Passkeys with OneLogin 

Customers already using the OneLogin Platform for their CIAM solution can enable Passkeys into their existing service without changing a single line of code in your application (assuming the integration for Auth is via OIDC/SAML flows and not API-based).  

Existing users who currently use a password to authenticate to your service can be presented with an optional Passkey registration prompt, which can be accepted by the user or simply rejected if they prefer to continue to use their password. If a user accepts the Passkey registration offer, they will be guided through the process to register a Passkey on the device they are using or can chose to store the Passkey for your service on their mobile device. Once the user has registered a Passkey against their account in the OneLogin environment supporting your application, you can then look to our Smart Hooks capability (Pre Auth Hook) to dynamically switch the user to a passwordless user policy in OneLogin the next time they try to log in to your service. This is achieved by implementing some simple logic in your Smart Hook, which will leverage the contextual information that is available to the service (e.g., Multi-Factor Authentication (MFA) devices registered to the user) and, based on this, switch the user into the relevant user security policy in OneLogin, which requires the WebAuthn/Passkeys authentication factor with a passwordless sign in flow. 

For new users registering to your application for the first time, you can allow them to create an account with a password and give them the option to migrate to Passkeys, just like above. Alternatively, you could allow new users to register as passwordless from the start. Currently, we support the ability to pre-register an MFA factor for a new user with either SMS OTP (One Time Password) or email OTP/magic link. So, new users can be created as passwordless users in your service with either of these two available factors. These users can then be prompted to register a Passkey to their account via an application security policy that can be assigned to the CIAM application. Once the Passkey factor has been registered to the user, our Smart Hooks capability can leverage this information from the available hook context so that the next time the user tries to sign in, they will be directed to a passwordless user security policy that requires Passkeys rather than SMS OTP or email. 

In all cases above, you can phase the rollout of Passkeys’ passwordless capability using policies scoped on groups of users, or if you prefer, you can opt for a “big bang” approach and enable the option for all users. 

Don’t miss the next part of this blog series where we will discuss all the passwordless options currently available natively in the OneLogin platform and identify the best fit for a new CIAM application deployment. 

About the Author

Marc Maguire

Marc has over 15 years experience working in technology with a particular focus on the banking sector. Marc works as a Solution Architect in our EMEA pre-sales team and focuses on delivering solutions for complex customer requirements using existing and new capabilities from the OneLogin Platform.