Passwordless account-creation with passkeys
“Passwords are bad” — They don’t offer enough protection from bad actors and we tend to forget them, putting ourselves at risk of losing access to our accounts. This is bad for users and websites that want to keep their customers logged in and engaged.
Let’s get rid of passwords then. Passkeys to the rescue! Towards the end of 2022, Apple started to support passkeys — an extension of the existing FIDO/W3C-Standard, which allows Websites & Apps to perform passwordless authentication. Google & Microsoft are equally invested in this new standard and have committed for their Operating Systems and Browsers to support passkeys in the near future.
Passkeys are real
In this post I want to talk about an example of a website that lets people create accounts using a passkey instead of asking them to come up with a new password. Carnival.com operates Cruise Lines across the world. I’m not affiliated or sponsored by Carnival, I’m just using them as an example. Since I don’t have any background knowledge on how carnival.com manages their accounts, I’ll point out when I’m making assumptions.
Sign up with passkey
I’m using Mac OS 12.6.2 and Safari 16.2 and a iPhone running iOS 16.1.2
When creating a new account on carnival.com, I get the option to “login with your phone’s FaceID or Fingerprint”. After having created an account, the iCloud Keychain (iPhone: settings → Passwords → Carnival.com) shows that a passkey has been created.
The next time I go on my iPhone and open Safari, I’ll be able to use my email address and the fingerprint button on the login page to sign in without having to enter a password. In the case of this account on Carnival.com I don’t seem to have a password at all.
Perfect! Isn’t it?
The way it’s implemented is clean and makes it easy for people to create new accounts that don’t have a password — because they’re bad. If you’re planning to use this account in the Apple ecosystem, only use software that supports passkey, and consistently use the same iCloud account, you’re going to enjoy this.
As passkeys are new — or not yet available — on most platforms, there are going to be some situations that will make it hard for you to use this passwordless account — You want to use something else than Safari to create your account
If you use Chrome on Mac, you’ll be able to create a passkey, but since it won’t get synced to other devices, you won’t be able to use it on a different device. This puts you at the risk of losing access to your account, if you rely on the passkey to work everywhere.
I’m optimistic that Chrome on Mac will at some point be able to sync passkeys across multiple devices, either using Apple’s Keychain — as it currently does on iOS — or Google Sync. In the meantime, this experience is confusing and increases the risk of people having to go through account-recovery or getting locked out from their passwordless account.
This is not meant to discourage you — the Website operator — to implement passkey support, but it’s a nudge to think about the limitations and set adequate expectations on who will be able to enjoy the new passwordless world.
