Unlocking the full potential of passkeys
Are you hearing the hype about passkeys? It’s definitely a trending topic.
Will they release us from the password purgatory we live in?
First, let me say: I love that companies are replacing passwords with more modern technologies. Passkeys are a great alternative.
But most people are thinking of the ideal scenario with passkeys: The legitimate user logs in from the same device they always use, and everything is smooth and seems very secure.
In fraud, even if the ideal scenario happens 99% of the time, that 1% can hurt a lot.
So you have to have a plan to mitigate the 1% issues.
And there’s one thing in particular that’s challenging with passkeys right now:
Account recovery. How do you recover your identity if you lose your device? Or you forget your phone?
领英推荐
Most passkey implementations I’ve seen so far default back to a password or pass phrase for account recovery.
If your account recovery method is a password, at the end of the day you haven’t done much to improve security. You improved UX a lot, because people won't need to use a password all the time. But they’ll still need to have a password.
Just to be clear, this issue isn’t a showstopper for passkeys. It’s something that needs to be accounted for.
And it can be accounted for. For example, location can really help in this situation.
Incognia’s research has found that 85% of the first legitimate logins to a new device occur from a trusted location (a location they visit frequently, like their home or workplace).
If they’re setting up a new device or recovering their account on a new device and they’re at a trusted location, that’s a strong signal you can rely on in place of a password.
Passkeys are a great alternative to passwords, but you need to make sure you’re designing for their limitations as well. Do that, and you get the best of both worlds: higher security with lower friction.
Don't miss out on the latest in AI and fraud prevention. Get our complete newsletter in your inbox.?Subscribe to The Signal.
Operator across pre-sales & post sales functions for early stage B2B SaaS
1 年This is a great summary. Additionally, location can be a high entropy data point for device registration when setting up the passkey at a new account opening, or onboarding an existing user to the digital channel. It is a similar risk to account recovery and re-registration to a new device but without the prior established location history at the user level.
content marketing | fraud prevention | SaaS | sometimes funny | Jesus follower
1 年These are important details for authentication teams to think through related to passkeys ????