Spotlight on: Passkeys
May 15, 2023
If you’ve ever dreamed of creating a more secure and phishing-resistant sign-in experience, we have good news.
“There is a high chance that in a few years, Apple’s release of passkeys as part of iOS 16 will be remembered as the beginning of a revolutionary change in how companies implement sign-in for their products,” wrote Matthias Keller, Kayak chief scientist and SVP of technology, in a 2022 op-ed piece on the subject.
Passkeys offer a faster, easier, and more secure sign-in experience for your apps and websites. They’re strong, resistant to phishing, and designed to work across Apple devices, as well as nearby non-Apple devices. And because they’re integrated with Touch ID and Face ID, people can use passkeys like they would any other sign-in system or routine.
A passkey is a cryptographic entity used in place of a password that’s made up of two keys: one public, one private. The public key is registered with an app or website and kept on a web server, while the private key is stored on devices. When someone attempts to sign in, the app or website creates a challenge. The private key signs the challenge to create a signature and the public key is used to verify that signature without revealing what the private key is.
While there’s a lot going on behind the scenes, most people won’t know — or need to think about — any of it. With passkeys, there’s nothing to create, guard, or remember. Plus, the private key is stored in iCloud Keychain and is end-to-end encrypted for another layer of security.
Kayak: “You just initiate the process”
Kayak’s Keller isn’t just a longtime digital security evangelist with years of history in the field. He's also a dad — and that poses its own host of security challenges.
“Between activities and school, I’m constantly creating accounts and passwords, all of which have a variety of stipulations,” Keller says. “Some can’t be longer than 16 characters, some require special symbols, and others won’t even recognize an exclamation point. And I know from experience that companies face similar challenges when it comes to protecting passwords.”
Keller has been involved with Kayak’s various login approaches throughout his 10 years with the company. Prior to passkeys, the app relied largely on “magic links” sent via email. “But it was getting more and more complex to ensure the security of magic links, especially when supporting logins across devices,” Keller says.
Between activities and school, I'm constantly creating accounts and passwords, all of which have a variety of stipulations.
Matthias Keller, Kayak chief scientist and SVP of technology
When Keller first heard about passkeys, he knew they were right for Kayak. “The moment it clicked for me was when I saw the first prototype and how easy it was to use,” he says. Kayak was one of the very first to support passkeys, releasing their update at the same time as the feature’s public release in September 2022.
The Kayak team was able to adopt passkeys so quickly in part because of the underlying framework and documentation supporting the feature. “Working on the server is my day-to-day, but I’m not afraid of doing a little bit of Swift, too,” he says. “Luckily, integrating passkeys was light on the UI side. We only had to initiate the experience provided by Apple.”
Feedback was overwhelmingly positive. In the feature’s first three weeks of availability, thousands of people created passkeys on Kayak. Almost 20 percent of those were existing users who manually opted into the new technology.
“The world before passkeys was broken,” he says. “You have all these obscure password rules, as well as expiration and compliance issues — and it can be extremely expensive to offer authentication because you have to buy security products or hire someone to run it for you.” Keller’s work at Kayak is part of a larger drive to get more companies around the world to support this new open standard — one that protects its developers as much as its customers. “You no longer need to protect millions of passwords. Now we only store public keys, which are pretty useless to hackers.”
For Keller, passkeys are now a crucial part of Kayak’s security strategy. “We’ve got a long journey until the last password is gone, but it's exciting to see where we're headed,” he says.
Robinhood: "We're talking about the emotional angle"
For investment app Robinhood, passkeys provide a key advantage over other secure sign-in options: speed.
“Robinhood is a product where you may want to sign in and complete a time-sensitive action,” says Hannarae Nam, the app’s product manager for account security. “Maybe the market’s opening and [you] want to make a trade immediately.” Typing a password or engaging in two-factor authentication can eat up precious seconds — and could cost you a deal or a valuable trade.
We're talking about the emotional angle of instantly accessing your account.
Yong Rhee, Robinhood product lead for customer trust and safety
With passkeys, the app can provide a speedy login process that also offers maximum security. “It’s critical to understand that we’re not talking about just the ability to engage with Robinhood to invest and trade,” says Yong Rhee, the product lead for customer trust and safety. “We’re talking about the emotional angle of instantly accessing your account.”
Ensuring that customers aren’t locked out is “critical” to Robinhood, says Rhee. Passkeys are managed by the operating system and backed up, synced, and available across all of someone’s devices. There's no typing needed and nothing to remember. And people can easily get back in to their accounts even if they lose their phone.
Robinhood’s security team pushed for passkeys early as a potential solution for their customers. “They’ve been a strong proponent of bringing up the vulnerabilities of passwords,” says Rhee. The team rolled out passkeys to a percentage of customers in December 2022, though they plan to continue maintaining their existing password and two-factor authentication system as passkeys adoption rolls out. “I think when customers catch up to the technology, they’ll understand and feel more confident in account security,” says Rhee.
Instacart: “It seemed like a perfect match”
Instacart senior mobile engineer Josh Schroeder was on paternity leave when passkeys were introduced at WWDC22, but he made a note to dig into the idea upon his return. “Between the reduced friction and improved security, it seemed like a perfect match,” he says.
The Instacart team signed off on the idea quickly, encouraged by the opportunity to reduce sign-in friction. “That was the biggest selling point for me,” says Brandon Lawrence, Instacart’s senior software engineer. “Well, that and not having to remember another password.”
We believe in passkeys, and we think this will become really common.
Josh Schroeder, Instacart senior mobile engineer
For Instacart, there was a second benefit as well: the opportunity to pare down duplicate accounts. “When they don’t remember their password, a lot of people just create another account,” says Schroeder. Passkeys avoid that unnecessary (and annoying) duplication. Because devices keep track of passkeys, there's nothing to remember.
The early implementation process made Lawrence — who spent part of his pre-tech career as a meteorologist in the Marines — feel like something of a passkeys pioneer. “For much of what we build, we can look at the many people who’ve done it before. This time there was a lot more exploration, a little more feeling like we were in uncharted territory. Once we got it into place, it was relatively smooth.”
Today, passkeys are presented as the default sign-in option when creating an Instacart account with an email address (although if someone declines, the app offers the option to create a traditional password). More than half of new Instacart customers who created accounts with an email address have adopted the feature, and plans are underway to gradually convert existing accounts as well. “We believe in passkeys,” says Schroeder, “and we think this will become really common.”