Unlocking the full potential of passkeys

Unlocking the full potential of passkeys

Are you hearing the hype about passkeys? It’s definitely a trending topic.

Will they release us from the password purgatory we live in?

First, let me say: I love that companies are replacing passwords with more modern technologies. Passkeys are a great alternative.

But most people are thinking of the ideal scenario with passkeys: The legitimate user logs in from the same device they always use, and everything is smooth and seems very secure.

In fraud, even if the ideal scenario happens 99% of the time, that 1% can hurt a lot.

So you have to have a plan to mitigate the 1% issues.

And there’s one thing in particular that’s challenging with passkeys right now:

Account recovery. How do you recover your identity if you lose your device? Or you forget your phone?

Most passkey implementations I’ve seen so far default back to a password or pass phrase for account recovery.

If your account recovery method is a password, at the end of the day you haven’t done much to improve security. You improved UX a lot, because people won't need to use a password all the time. But they’ll still need to have a password.

Just to be clear, this issue isn’t a showstopper for passkeys. It’s something that needs to be accounted for.

And it can be accounted for. For example, location can really help in this situation.

Incognia’s research has found that 85% of the first legitimate logins to a new device occur from a trusted location (a location they visit frequently, like their home or workplace).

If they’re setting up a new device or recovering their account on a new device and they’re at a trusted location, that’s a strong signal you can rely on in place of a password.

Passkeys are a great alternative to passwords, but you need to make sure you’re designing for their limitations as well. Do that, and you get the best of both worlds: higher security with lower friction.


Don't miss out on the latest in AI and fraud prevention. Get our complete newsletter in your inbox.?Subscribe to The Signal.

Zuul Quarnain Yakub

Operator across pre-sales & post sales functions for early stage B2B SaaS

1 年

This is a great summary. Additionally, location can be a high entropy data point for device registration when setting up the passkey at a new account opening, or onboarding an existing user to the digital channel. It is a similar risk to account recovery and re-registration to a new device but without the prior established location history at the user level.

David Nesbitt

content marketing | fraud prevention | SaaS | sometimes funny | Jesus follower

1 年

These are important details for authentication teams to think through related to passkeys ????

要查看或添加评论,请登录

André F.的更多文章

  • Introducing the Incognia Frontline Report: Gig Economy Edition

    Introducing the Incognia Frontline Report: Gig Economy Edition

    It’s a wild time in the gig economy fraud space. Fraud is draining millions from gig economy platforms.

    1 条评论
  • ELF: The Persistent Signal Fraudsters Can’t Erase

    ELF: The Persistent Signal Fraudsters Can’t Erase

    Let’s acknowledge the obvious: Fraudsters don’t typically stop after a single infraction. They often commit as many…

    1 条评论
  • Continuous verification should actually be continuous

    Continuous verification should actually be continuous

    Continuous verification should actually be continuous. It sounds pretty straightforward, but many companies don’t treat…

  • Fraud prevention needs a collaboration power-up

    Fraud prevention needs a collaboration power-up

    Many platforms deal with their fraud problems in isolation. They’re not collaborating with other platforms to better…

    2 条评论
  • Don't fight fraud with your offline brain

    Don't fight fraud with your offline brain

    Why do many companies default to selfies for user verification?” When I got this question recently, it helped me…

    5 条评论
  • Just let them commit fraud

    Just let them commit fraud

    Predicting whether a user will commit fraud can be really tough. You may be better off just letting them do it.

    1 条评论
  • Fraudster Intel: How they find vulnerabilities to exploit

    Fraudster Intel: How they find vulnerabilities to exploit

    How do fraudsters find their exploit points? Looking to forums and chat groups tells us—they test. To help you picture…

    4 条评论
  • Lessons from a fraudster

    Lessons from a fraudster

    I don’t admire fraudsters. But I do respect their persistence.

    1 条评论
  • More data isn’t always better

    More data isn’t always better

    In fraud prevention, the problem is usually not a lack of data. We have so many signals available to us, they’re coming…

    1 条评论
  • Closing the fraud prevention time gap

    Closing the fraud prevention time gap

    What’s the “time gap” in the world of fraud prevention? It’s the time between the emergence of a new threat and the…

    7 条评论

社区洞察

其他会员也浏览了