Adding passkeys to your apps with Okta CIC powered by Auth0

 oCbO9xzTlzWT9DcnydvDwTJXdoD3DiS3oRWOUibEkxsCi WaCbBSvdrW 8CYZ6UIwelmDiRyPQAyWTFkIC0V7fDbXZt 1NRFZsW1Mox4S2BoKC0A2SGx4WHrIhT bjLGEfELuNOORauEVSKl4Il2WPQ

   

Passkeys are a replacement for passwords, and they are now supported on most platforms and operating systems. They’re also a feature of Okta Customer Identity Cloud powered by Auth0, which means your users can enjoy the convenience and security passkeys provide.

In this article, you’ll learn:

  • Why passwords are no longer adequate
  • How passkeys improve on passwords
  • What the passkey user experience is like
  • How passkeys work

Passwords: A 1960s solution to a 1960s problem

 n48aNPniwr eQLEMWemQpTFErUeLBLIxio91fkGiY YrTiF5M52ZzmIo5m2441rL47sXixs5MyZXuUJD5ALDIzJCxgzLhxLiw51BKKDk52ll2zz Sas6shcTIADXpxPOsLK3oh0VW5CUEZG7fdTdjs

An IBM 7094 mainframe, the home of the original username/password system.
(Creative Commons photo by Arnold Reinhold)

 

In 1961, MIT computer scientist Dr. Fernando Corbató changed the way computers worked by developing an operating system that supported several simultaneous users. For it to work, each user had to be given their own disk space, so he assigned each user an account that they would access using a unique name and secret — a password.

Corbató probably never thought that his username/password system would be used daily by billions of people on a global scale. “Unfortunately, it's become kind of a nightmare with the World Wide Web,” he said in a 2014 Wall Street Journal interview. “I don't think anybody can possibly remember all the passwords that are issued or set up.”

Today, the average person has 70 to 80 passwords, which is well beyond most people’s ability to memorize. It’s no surprise that people use simple passwords, reuse them, and write them down in easy-to-find places. Even Corbató has admitted that he managed his passwords in an incredibly insecure way: “I have to confess, I used to use a crib sheet.”

Present-day password problems

Even if everyone came up with unique, strong passwords for each of their accounts and were able to memorize them, there would be other ways to steal them: 

  • Social engineering attacks, like some types of phishing, where someone pretending to be a trusted person like a boss, friend, or family member tries to get you to voluntarily give them your personal information. They often try to lead their victims to lookalike sites that appear to be genuine but actually exist to trick users into providing their login credentials.
  • Various forms of “eavesdropping” would still be around. A password sent over an insecure connection could be intercepted, “shoulder surfing” remains a favorite method, keylogging malware, and even literal “listening in” can work since there’s now an AI that can determine what you’re typing based on your computer’s keyboard sounds with astonishing accuracy.
  • Malicious parties that breach the server would gain access to a list of all the users’ passwords if the server was poorly designed, or hashed (and ideally, salted) versions of the passwords if the server’s developers followed best practices. While difficult, it is possible to deduce a password from its hash.

Passkeys: A 21st century solution to a 21st century problem

To overcome the limitations of passwords, technology companies such as Apple, Google, and Microsoft have built on standards developed by the World Wide Web Consortium (W3C) and FIDO Alliance to create a new way to log in: passkeys. They are a replacement for the six-decade-old username/password combination.

Passkeys are based on FIDO2, a standard created by the FIDO Alliance, an open industry association whose goal is to “help reduce the world’s over-reliance on passwords.” FIDO2 is a secure, phishing-resistant, passwordless authentication protocol built on the following:

  • WebAuthn, the new global standard for web authentication. It’s a browser-based API that simplifies and secures user login by using public-key cryptography to enable registered devices such as phones, tablets, and laptops to be used as authentication factors. 
  • CTAP2, the second version of the Client to Authenticator Protocol, which describes how an application and operating system communicate with an authentication device via USB, NFC, or BLE.

We are building on the FIDO2 standard and Okta is actively contributing to its future development and improvement.

Technically speaking, passkeys are FIDO2 credentials that are discoverable by browsers or housed within native applications for passwordless authentication. They replace passwords with cryptographic key pairs, which makes them significantly more resistant to attacks like phishing.

Using a passkey is as easy as unlocking your phone or computer. As discoverable credentials, passkeys simplify login by making it possible for the website or application to get your username or email address and autofill that field when logging in.

There are two types of passkeys: synced and device-bound.

  • Synced passkeys can be synced across user devices to be used and restored from a keychain cloud-based service — a sync fabric — like Apple’s iCloud and Google Password Manager. A passkey for a website or application is available on all of a user’s devices that use the same sync provider. They’re meant primarily for “consumer” use and will be the focus of this article.
  • Device-bound passkeys are stored securely on a single hardware device like a security key or your laptop. This limitation is for websites or applications that require a higher level of security assurance, such as financial enterprise environments. 

They’re an authentication method for an era where about 85% of the world’s population has a smartphone, the internet is everywhere, and people log into dozens, if not hundreds, of accounts daily. They solve the biggest security and usability problems that come with usernames and passwords, and we believe that they’re the future of login.

The Customer Identity Cloud passkey user experience

When logging into a passkey-enabled website or application secured using Customer Identity Cloud, users will see passkey as an authentication method in our Universal Login box:

 

gFXnJ12FPOGAfjWBfTLJ2cI4bZD9fDr10broP0HPACZ3N TYbcEF t6VcLamMVequkDncy QM4ONwhizcva8VX0lmCUNaVnGFD4fYyvmJLE7oAXCWpuUEw1N2bukaz7fXfQm4S6VfIBL Eic Af9p3k

 

Users with passkeys can choose to log in either via the Continue with a passkey button at the bottom of the screen or by clicking on the Email address text field, which reveals this autofill menu:

 

4xLhXdlANRFBtpxug8TYLIVv2ZGG2cup8q6Q6jRlGYzHXRM44gSORYakyyoZnQohy5RSHe7nqRLvZkY4VtzxANOobUgTYfX43dtYLM4A0edsjkMNuzzRJ5ItWw7J17gNPeTJ1b0P2x bcRBQ1o vZm4

 

The Sign up link still leads to a screen for signing up for a new account, but users can now create a new account that uses passkeys and skip the process of creating a password.

Users who signed up with an email address and password credentials can still log in using those credentials and choose to add a passkey to their account later. This way, they have the flexibility to migrate to passkeys at their own convenience.

The desktop/laptop experience

Let’s take a look at what the passkey login experience looks like on a computer. In this case, we’ll look at the experience of a user running Chrome on a MacBook with a fingerprint reader.

The user either selects their passkey-enabled account from the Email address field’s autofill menu, as shown below…

 

4xLhXdlANRFBtpxug8TYLIVv2ZGG2cup8q6Q6jRlGYzHXRM44gSORYakyyoZnQohy5RSHe7nqRLvZkY4VtzxANOobUgTYfX43dtYLM4A0edsjkMNuzzRJ5ItWw7J17gNPeTJ1b0P2x bcRBQ1o vZm4

 

…or they click the Continue with a passkey button, which takes them to this screen:

 

h9nEz87fD881G5QNlYJeuG4fnqDKa2hvJ7XmS Ir2E RjDlv FGpC0jmH728SO xNFRXKlR8dUOPqNji0ngf7mJRjOuE 66OH isPD2iQpJn86dLwe UN9Etvdfv3UjtG4DsxND4kzFIU4G1nn036IU

 

The user selects the identity that they want to use, after which they’ll see this:

 

Yf09k93Wh34RlJcrkekOb0njIWzQdZ8RGPgNL9D5hQb WDZkexRWYL0fnRXpddIaBQUK zDHj7 jRBdaqZfIlak8PNbomIWEDOIWUHXTu4akBJ1N7GfL scNAPkV4rWVgsjtGaMb5dC4Af8 PlWMtUo

 

The user scans their fingerprint, the computer checks their identity, and when confirmed, the user is logged in. No password had to be memorized, no typing had to be done, and for reasons we’ll explain shortly, the login process was even more secure than when done with an email and password.

If the computer doesn't have a fingerprint scanner, that’s okay. Passkeys can be accessed in the same way you unlock your device which means you can use a biometric, device pin, or pattern.
 

Using a USB security key

tuUHhTwW5BzLuFvuPRP3ZqAZ4dLwrVwPKLz3HC2M8zoJLZO3pnCXa059jxHWtWQswQjnNHH2uDkbYY44rjUy0IkXCK11GdOHU JBjqjYzudUkHNktkazvlCfLjtdJ62M2y mgCtGIo INf8Bc2m9Fzw

 

Another option for logging in with passkeys on a computer is to use a USB security key, such as a YubiKey. These are USB, NFC, and BLE devices that hold authentication keys and work hand-in-hand with authentication systems like passkeys.

When logging in with passkeys and a USB security key, the user can click on the Email address text field and select the Use a Passkey on a Different Device option…

 

4xLhXdlANRFBtpxug8TYLIVv2ZGG2cup8q6Q6jRlGYzHXRM44gSORYakyyoZnQohy5RSHe7nqRLvZkY4VtzxANOobUgTYfX43dtYLM4A0edsjkMNuzzRJ5ItWw7J17gNPeTJ1b0P2x bcRBQ1o vZm4

 

…or they can click the Continue with a passkey button, which takes them to this screen, where they click the Use a different device button:

 

h9nEz87fD881G5QNlYJeuG4fnqDKa2hvJ7XmS Ir2E RjDlv FGpC0jmH728SO xNFRXKlR8dUOPqNji0ngf7mJRjOuE 66OH isPD2iQpJn86dLwe UN9Etvdfv3UjtG4DsxND4kzFIU4G1nn036IU

 

Either option leads to this screen:

 

nSGgFViwbs0krC87GW AXkbjw8wZGlLRFqsSxIrqx5ydv2J6hpYk JxKFZafhs03dNR77z1w15Zr7uUVY2QBQzWvsVfS9rZcgCvCQdQ1HEUQUaSv U3EkEZUvCiA 7YPxWaIr0BCHTaUioGi4ZgdrYE

 

If the user chooses the USB security key option, they’ll see this pop-up on their computer:

 

EKDlQTpznoddVMRu7miXmL02P NYIezM9bnUImgYb2UiAwDDVJBSEcMPJEWB2PbTCFs1tGszeYtX7ANKlBK3Ljb2nnzS3b5LOb3ucUQ3wuypgKRIQ 3vTBx17JpcGRJII9DOkBb4IgLNr9XFh dQJdU

 

The user would then insert the USB security key and touch it, authorizing the use of the user’s passkey stored on the key. Once the user’s identity is confirmed, the user is logged in. The combination of a secure storage device and biometrics makes this passkey method suitable for work that needs an extra level of security.

The mobile experience

In this example, we'll show the passkey experience for an iPhone user. Like our example above, it starts with the Universal Login:

 

3xWUYmG7cSoJqWmDtOS5jJv5FL5zCX8L 6t2BppIFQgweR5Zxc8KHKAstuYYlasg4Wp1 8YXDNdl3tI5qtnZ0pC3MlXaCXSWAsLI9jgizur4kyChgEhgU9HKsfu3geH Qo50lZ83tYGh3gD97TQvdOE

 

The user either taps the E-mail address text field or presses the Continue with a passkey button to select an identity. After that, they see this pop-up:

 

FBrJQNZw2hVIhLKFjOq94KLJDWKxgOyRwjXyUq3a5w3W9hqTI63znaPLk v4 Uqy7 EwdEI613mP3Pg0luCEh5hSmt1DrprBOUXMzEQHGIqNkr VGjEqjJaggOIU4QXz4NNUEof IKLhYQ11oa6vqSU

 

The user presses the Continue button and presents their face to the front-facing camera, just as they do when unlocking their phone. Once the user’s identity is confirmed, they are logged in!

In the example above, the user used facial recognition to use their passkey. If the phone had a fingerprint sensor, they could have used that instead. 

A quick note about signing in with biometrics

In the examples above, the user used facial and fingerprint recognition as part of logging in with a passkey. We’ve heard some concerns about biometric information being sent to a server. This is not the case; your biometric information never leaves your device.

 

xSrRV6nXcvsJ n5FGQ8rtz3WnTJi s kzuyNte9BUy hncDVOwQG4cKiOkTBH54ykkzTicayEerHsSek8T0REvUTUSeFRNv2YxwS8AFY82FOkk8D9B2nqQYehtNCABcyjvnEGPTuOLgVetW0MmiwksA

The step in passkey-based login where the user identifies themselves is the exact same step used when the user unlocks the device. This step isn’t limited to facial or fingerprint recognition, but any information that identifies the user to the device — it could also be the device’s password or PIN, a USB security key, or a password/identity management application.

Once the user has confirmed their identity with the device, the device sends the user’s passkey information — not their biometric information — to the authorization server.

The cross-device experience

Let’s consider a cross-device case:

  • Suppose you’re trying to log into a website on a Windows PC, which doesn’t have your passkey for the website.
  • You have your Android phone, which has the passkey for the website.

Since your Android phone has a passkey for the website, you can use it to log the Windows PC into the website, a process we call cross-device authentication.

You start with the Universal Login box on the Windows PC:

 

OBa6suGpnO9A3HKUH7S2dz1o xOF NUKI 9 ghRON6 1bwfYFeW41J2MgTrBTssDRUFYyEsdudY0NCqf8UojvFteB52phvT9sf6GUW1DQmY71e5VA3GbhyG o QTByy5TMbn2ESUC9f1st9MElXdgzI

 

The next step is to start the passkey login process. One way to do this is to click on the Email address text field, which makes the autofill pop-up appear:

 

kMRh429oZsD cJBo1wFkWroWRR528qicZJCIxxJiZvMiI 0pRTJgHuha5 Hp3QqRxogQ7B8 Umz4tEVRykBKo4LxQK2DEK1DygAUalrFMv9EAnsFMZoDdgX9tiUsZIef 5rJbRPay0DWP86tjVCk1Iw

 

Click Use a passkey on a different device. You’ll be taken to the Use your passkey screen:

 

7kmMlV74TlM1Q rLsXq3E46P9YuDyuOOB171m9WJkOcThwOu5ygb5KF8VeiuCMjtkVc9w A2OncwJCUiRY7XUDRa2Vsj8O JHaRc6AGjlwaFcY8Ae3F9G2ciJqbx69X3lIGsLR foHkrVpU  b4SRYc

 

The other way to get to the Use your passkey screen shown above is by clicking the Continue with a passkey button at the bottom of the Universal Login box.

Click the Use a different phone or tablet option, which lets you log in using another device, which in this case will be the Android phone. This QR code screen will appear:

 

g8ZkhSYKlPOBp4QG7ITr5wExT kV aCr8KrZ3VREqXxvN73AoUVFTOrb6ZCpjKTPMjEj8YtPREDcZgF52lmVoQkSiV7xg29JlHURCRUgIcpQYSV0ZggkFnAFCpbbwgqejioF8recKTcNrLQ1A38iJgE

 

With your Android phone, you scan the QR code. Once it’s scanned, the phone gives you the option to open the QR code’s link:

 

L8vcoqnYlr5VEHFXI SllyU XDoiZ4x0IHTyUgZBGMtg6J7sz8DHJjSrPTraH0Y MFtI1FyrnPlkCpe8zY2WbXn8MxDZVLKJIXpq7CgXH8fKBIBQzTjsjYb60WQnY f182eLMpumX ZanqjVc5BW i8

 

To proceed, open the link. This screen will appear:
 

kkzroQAcBpMzsB0fyzJakzsMdvgO7Ya4HryEJiFuquQnpA9xqea7mEwYuzNL36ALTd8SgWVOQCFvNha849Ddk11eF4k132godkuAFxtIzmsmeSKhmC9opRL2ogjW0898SccouvF1b a6XVPyxb0L8Lo

 

If the Remember this computer option is checked, the PC will be given its own passkey for the account on the website and you won’t need the phone to log in on the PC afterward.

Click the Allow button to continue logging in. This pop-up will appear on the Windows PC…

 

HkkW t54yWln K1Mh9dT8iMkdG4U3OYIrDCyphbkXM5Esx bM4MWSj1xCvpcKyoggaisO AdddRT0 ovHi6q0t2xoQk4LVYuypTfwUGoJKmuLaBITSBtvfsm6en3Mjv2xvWmSFtj4xjv VPfZQ214G4

 

…and on the Android phone, you’ll be asked if you want to use the passkey on your phone to log in on the PC:

 

UZrzQvN1c OuH3thd4u6 h8jZ5catFWSw2WzYXEQg7BUpqalnNohjZgudZZ5UdeINlqdj6pFidx09 MG9zVK6hSZn6ssLZqqXiHNM96k9xeWL7Zb3yXx0GQ0JwJB6p1g0NiTKobYQmSOQv1WZZreUz0

 

Press Continue to use the passkey. You’ll be prompted to confirm your identity by using the same method you use to unlock your phone. In the case of this phone, the options were to use the fingerprint scanner or press the Use PIN option to enter a PIN instead:

 

R1u3Jomzrc1pUjDRIEx1pGmrwxeI4DUDtiv4 ohjFQQ eex HQk2avdGXn1s2pMY9f9AJ9cnRRam9FP674Fi6zbDxC2OqYI1gUQJZZ rrmISh25JwJGCWxNEcV56mqqbMfsXxoY6XtQZbSXFFCfK7Pg

 

After scanning your fingerprint or entering your PIN, you will be logged in.

As a security measure, cross-device authentication requires Bluetooth to be enabled on both the computer and mobile device. This ensures the mobile device is near the computer, which makes phishing attacks nearly impossible. 

To gain access to your account through phishing, an attacker would need to:

  1. Follow the login steps above until presented with the QR code
  2. Photograph or screen-capture the QR code
  3. Send it to you via email, text, or other method used in phishing and convince you to scan the QR code

…and they would have to do so before the login process times out. This approach reduces the phishing attack surface from “anywhere in the world” (since passwords can be used anywhere) to the few square meters around your computer.

How passkeys work

While it’s relatively easy to deduce how the username/password system works, the mechanism underlying the passkey system isn’t as obvious. We’ll try to explain it in this section, which will also explain passkeys’ advantages over passwords. 

A passkey is actually two keys

When we use the term “passkey,” we’re actually talking about a credential that contains two keys called a cryptographic key pair:

  • One key is the public key, which you can distribute freely, post online, or even display on a billboard in the busiest city in the world. 
  • The other key is the private key, which you keep secret and share with no one.

You create both keys simultaneously, and they’re a matching pair. A public key will work only with the private key it was generated with and vice versa.

As you may have already guessed, the public and private keys aren’t physical keys, but digital ones. They’re long sets of numbers often represented as strings of characters. They’re mathematically combined with messages — which are also just long sets of numbers — that you want to send securely.

If you still find the concept of public keys and private keys confusing, we have an article that explains them using an easy-to-follow analogy!

Logging in with a passkey

As we said earlier, a passkey contains a public key and a matching private key. Here’s where those keys are used:

  • Like a password, the private key is meant to be a secret. It’s also generated so that it is long and nearly impossible to guess. You don’t (and probably can’t) memorize it. Instead, you store it on a device you own and trust, such as your computer, phone, tablet, or security key.
  • A copy of the public key corresponding to your private key is stored on the authorization server, also known as the relying party or RP for short — the server that presents you with the login box and logs you into your website or application. For users logging in via Okta’s Customer Identity Cloud, we are the RP.

A passkey also contains information about… 

  • The relying party (the server) — either an ID or its domain. The user’s device’s operating system uses this information to interact only with the RP it was enrolled for, making it resistant to phishing.
  • The user, so that the user doesn’t have to provide a username or email address — they can simply select one from Email address text field’s autofill menu or click the Continue with a passkey button. We say that a passkey is discoverable because it includes this information.

Here’s how logging in works with a passkey:
 

2kF33DhLmaJWkEOfaddSxm77O5jprsRCIaEXvp9U6D0yjwDShdySSAVWvyGrcK2ak85j6OlJQ2DS3adi6XUEBftdyoaUGfWgpHG7PqzTQmVfcZ2OmfBWDRlXq2t0H8MeXfdF4DmzXXRHdbTfErZxaG0

 

  1. When the user initiates the login process, the website or application sends a request to the authorization server (a.k.a. relying party or RP).
  2. The RP responds with a challenge — a message that must be answered and signed.
  3. The website or application receives the challenge, and the user is prompted to verify themselves on their device.
  4. The user chooses a method to verify themselves on their device. This could be via biometrics, a password or PIN — whatever they would use to sign into the device.
  5. Now that the device has confirmed the user’s identity, it uses the private key to sign the challenge and sends it back to the RP.
  6. The RP receives the signed challenge and validates it using the public key. 
  7. If the signed challenge is valid, the user is logged in if there are no additional factors in the login flow (such as an authenticator app or a required response to an SMS message).

Advantages of passkeys

Passkeys provide many advantages over traditional username/password authentication, including:

  • Speed and simplicity. Logging in with passkeys, especially when using biometrics, is much faster. We’ve seen scenarios where users authenticate twice as quickly with passkeys, and four times as fast once they don’t have to enter either an identifier or a passkey. Enrollment speed also increased by 44% — nearly twice as fast.
  • Strong credentials. Since passkey credentials are cryptographic keys, they are always strong, never reused, and impossible to guess. 
  • Phishing resistance. Passkeys only work with the RP that created them. This means that users can’t be tricked into using a fake lookalike version and submitting sensitive information.
  • Safer from data breaches. With a passkey system, authentication servers store only public data. Unlike the hashed passwords obtained from a breached username/password system, a collection of users’ public data from a system that supports passkeys is useless to hackers.

Enabling passkeys in Customer Identity Cloud

Passkeys are available as a feature on all Customer Identity Cloud plans — even the free ones! This means that if you want to familiarize yourself with passkeys and their user experience, you can set up a free tenant and add passkey-enabled authentication to your applications at no cost.

Try passkeys now and see how you can give your users a more convenient, more secure login experience! 

Our passkeys documentation