October 27, 2022
Now that Apple, Google and Microsoft have updated their operating systems to support the open standard passkey protocol stewarded by the FIDO Alliance, consumers will soon be liberated from the tyranny of passwords and their attendant security threats. PayPal has become the latest to embrace the passkey approach, announcing U.S. users will soon be able to log in using FIDO-compliant passkeys. It joins Best Buy, CardPointers, eBay, Kayak and WordPress among those with digital portals offering a passkey option. Passkeys will permit consumers to login seamlessly across devices, making online purchases easier and eliminating friction from app access.
Passkeys are also more secure than old-timey passwords, as they are immune to credential phishing, offering natural resistance to all manner of account takeover attacks. While the concept of hardware that stores authentication information has been percolating for at least 10 years, the industry galvanizing around a single approach is what is finally making it deployable at scale.
However, adoption may need a little more time. “Passkey support is still spotty,” says Ars Technica, noting “passkeys stored on iOS or macOS will work on Windows, for instance, but the reverse isn’t yet available. In the coming months, all of that should be ironed out.”
What makes passkeys better than passwords? “Passkeys work almost identically to the FIDO authenticators that allow us to use our phones, laptops, computers, and Yubico or Feitian security keys for multi-factor authentication,” Ars Technica explains, “just like the FIDO authenticators stored on these MFA devices, passkeys are invisible and integrate with Face ID, Windows Hello, or other biometric readers offered by device makers.”
That means there is no way for a malicious actor to remotely retrieve the cryptographic authentication information “short of physically dismantling the device or subjecting it to a jailbreak or rooting attack,” Ars Technica writes.
Apple announced passkey support in September, supporting it on the new iOS 16 and macOS Ventura. Now, with Google’s introduction this month of passkey support across Android and Chrome, “virtually all mobile devices now automatically synchronize passkeys to all of a user’s devices,” Ars Technica says. “Microsoft has said it plans to provide sync support in 2023.”
With its announcement this week, PayPal becomes one of the first in the financial services sector to implement passkey support, introducing the option first for iPhone, iPad, or Mac users on PayPal.com, and eventually expanding “to additional platforms as those platforms add support for passkeys.”
PayPal emphasizes the move to passkeys is significant in that it addresses “one of the biggest security problems on the web, which is the weakness of password authentication. Over 2.6 billion records were hacked in 2017 and of these hacks, 81 percent are estimated to have been caused by password stealing and guessing,” PayPal says, citing Verizon data.