Passkeys for Google Accounts. Ask Me Anything (AMA) with Felix from Hanko and passkeys.io

Felix Magedanz
10 replies
Yesterday, Google announced support for passkeys across all personal Google accounts. In the announcement, Google stated that passkeys are not merely "just another login alternative," but the successor to passwords. If you have a Google account, you can add and manage passkeys here: https://g.co/passkeys At Hanko, we have been working with passkeys, the underlying WebAuthn API, and FIDO protocols for more than 5 years. We share Google's view that passkeys are the future of authentication and have recently launched an open-source authentication solution called Hanko.io. Our solution enables developers, startups, and project teams to easily build a passkey login for their project without having to deep-dive into the details of passkeys. Additionally, we operate https://www.passkeys.io, a passkey demo website with over 100,000 registered demo accounts. If you have any questions about passkeys, I'm here for you!

Replies

Dexter Awoyemi
Up with Hanko. Down with passwords.
Felix Magedanz
@dextersjab no question about it 🙌
Mathias Nestler
I haven't seen passkeys used in business context yet. What do you think, how and when will passkeys change the business world? Thanks a lot for contributing to the community!
Mathias Nestler
@flxmgdnz Thanks a lot for your elaborated reply. Will there be still options for things like service accounts? Imagine you need an automation that logs into an account to automate a process with tech like RPA...
Felix Magedanz
@mathias_n Thanks for your question, Mathias. Passkeys have the potential to revolutionize the online world by replacing traditional passwords. Apple, Google, and Microsoft, along with other members of the FIDO Alliance, are working together to create a solution that will be accessible to a vast majority of internet users. Initially, these prominent identity providers are focusing on implementing passkeys for their consumer accounts, where the user base is enormous, and the adoption process is less hindered by risk assessments, complex organizational processes, or legacy systems. Other consumer-oriented companies such as eBay, KAYAK, and Shopify have also begun implementing passkeys, while popular B2B security providers like Okta and Duo Security have started offering passkey support to their business clients. In the coming weeks, Google Workspace accounts will also support passkeys, with Microsoft following suit later this year with a Windows update for comprehensive passkey support. This rollout is expected to extend to both B2C accounts (e.g., XBOX, personal) and B2B accounts (e.g., O365, Azure AD). Widespread adoption of passkeys across both B2C and B2B sectors is anticipated within the next 18-24 months. Ultimately, passkeys will become the default option for logging into various platforms, including online marketplaces, banking services, SaaS tools, and single sign-on (SSO) providers for businesses. Passkeys provide a more secure alternative to traditional passwords and current 2FA methods, offering robust protection against phishing, password guessing, replay attacks, credential stuffing, and man-in-the-middle attacks. In addition to improved security, businesses can benefit from adopting passkeys in various ways: Reduced support costs: With passkeys eliminating the need for password resets, businesses can expect a decrease in support costs associated with account lockouts and password resets. Improved security posture: Passkeys help businesses strengthen their overall security posture by removing the need to store and manage sensitive password data and reducing the risk of password-related breaches and attacks. Simplified compliance: Implementing passkeys can help businesses meet regulatory and industry compliance requirements by ensuring secure authentication methods are in place. As passkeys become more prevalent, their use will likely result in better conversion rates, as users will no longer need to create passwords when setting up new accounts.
Felix Magedanz
@mathias_n Legacy software will continue to exist for many years or probably even decades and RPA will continue to work there as it does today. Service accounts for modern software that fully switched to passkeys and does not offer passwords anymore (this will take a while) have to rely on using so called soft-authenticators where the passkey is not stored by the operating system and therefore the passkey login flow can be automated. The software will know that it’s a soft-authenticator, though, and may block access for security reasons.
Shreyas Iyer
Hey @flxmgdnz! I'm super interested in this topic. We saw password-less flows being pushed with OAuth, and now, seems like they're being completely taking over. I'm curious to hear from you: - How long do you think the switch from password -> password-less will take? If it will take a long time—why do you think so? Is it the migration effort? - I think the above also begs a deeper question: do you think authentication will eventually become a service all applications offload to some identity provider?
Felix Magedanz
@shreyasiyer Thank you for the questions, Shreyas. We anticipate that passkeys and passwords will co-exist for many more years, but passkey adoption will skyrocket over the next 18 months. Users will be given the choice to skip passwords or even to delete their old passwords as soon as they’ve enrolled passkeys for their accounts, allowing for a smooth transition. The most critical precondition for passkey adoption has been platform and browser support, which both are now almost 100% there. As much as passkeys simplify authentication for users, they do make things more complex and sophisticated for developers. Especially when paired with other non-trivial auth tech like OAuth, JWTs, OpenID Connect, SAML, and bot detection, “just auth” becomes a multi-month if not multi-year project, occupying valuable developer resources. We do think that auth will get more and more outsourced, like hosting, payments, messaging, and other crucial parts of modern app development.
Alan Youngblood
Hi @flxmgdnz thanks for answering our questions! What are some of the biggest challenges to integrating Hanko and passkeys on existing web apps and what are some things you have planned to address those? Where are areas that the community could help develop solutions?
Felix Magedanz
@alan_youngblood Thanks Alan, the biggest challenge when integrating passkeys is that the user flows need to change quite a bit when compared to classic password logins. Finding the right balance between modern passkeys and learned password behavior is not a simple task, which we at Hanko and others in the FIDO Alliance have been working on for more than 5 years. Our own approach to this is our open source authentication solution Hanko that has been built from the ground up with passkeys in mind and can be used by developers and project teams to build their own auth and user management. Another huge challenge for passkey adoption was device and browser support, and there are still some (minor) pieces left. For example, we're still struggling with passkey autofill support in Edge Chromium on Windows, and also the inability of browsers other than Safari to access iCloud Keychain on macOS is a problem. For the development of Hanko, the most helpful community contributions would be new framework integrations that we haven't had the time to do yet like e.g. for C#, Java, Python, PHP, or Rails. We'd love to see example code or even guides that eventually can become a part of the official Hanko project docs. Also, any feedback is always highly appreciated and directly impacts our feature roadmap planning.