Passkeys: Moving Towards Secure Log-in Methods

Passwords have been around for about as long as computers. There’s a reason for their longevity. Consumers intuitively know how to use them, in spite of their security shortcomings. Businesses keen to offer a low-friction way for customers to secure their online accounts have therefore had little option but to persist with passwords. Until now. The emergence of passkeys is set to transform the way users log in to their favorite sites and apps – by ditching passwords altogether and allowing them to use their preferred biometrics, PINs or swipe patterns.

That’s why PayPal is supporting a FIDO-led initiative to make passkeys the new gold standard for log-in security around the world.

The most common password challenges faced by businesses

There’s one big challenge with passwords. They may be easy for us all to use, but they can also be easy for criminals to steal or guess. The problem is scale. A typical computer user may have scores of websites and apps they regularly need to access. Remembering unique credentials across all of these can be extremely challenging – especially when security best practice says they must be “strong and long” to beat the automated software hackers use to crack easy-to-guess passwords.

Yet even if users were able to create and maintain a long list of unique, strong passwords, these could be stolen from the companies they do business with, in large-scale data breaches. In the US alone there were over 1,800 data breaches last year affecting 422 million individuals.1 Or passwords could be phished individually from victims, by criminals posing as legitimate entities like banks or streaming providers. The FBI’s Internet Crime Complaint Center (IC3) received over 323,000 reports of phishing in 2021, more than any other cybercrime.2

Stolen passwords are often traded in bulk on dark web cybercrime marketplaces, where they’re bought up in large quantities together with usernames. Hackers can feed this data into credential stuffing tools, to see if the same log-ins have been reused across other websites and apps. If they have, they may be able to unlock these too.

The password problem has gone unresolved for far too enough. Consumers are sick of having their accounts hijacked and their money and data stolen. Businesses also bear the brunt in reduced consumer confidence and reputational damage. Previous attempts to mitigate the problem, including password managers and two-factor authentication apps/one-time passcodes, have so far failed to gain widespread adoption.

What are passkeys and how are they going to replace passwords

Passkeys are a new common log-in standard created by the FIDO Alliance and the World Wide Web Consortium. They enable customers to gain access to their online accounts without needing to use a password. Instead, they can use the same biometrics (like Apple’s TouchID or FaceID), PIN, or swipe pattern they use to unlock their device.

Here’s how Passkeys work:

  • The passkey replaces a user’s password with a hidden cryptographic key pair
  • One key is public and registered with each app or website in use. The other key is private and stored only on the user’s mobile device/computer
  • The key pair seamlessly handles the authentication process between device and app/website

Advantages of adopting Passkeys over passwords

This has three main advantages over username/passwords and other log-in security methods.

The user experience is seamless, familiar and consistent. Passkeys can also be securely synced across devices and computers, further enhancing convenience.

Security is proven to resist phishing, credential stuffing and other remote attacks as it is based on industry specification FIDO Authentication. Passkeys can also be offered without requiring passwords as a recovery method.

Scalability is assured because users do not need to enrol from scratch on each new device or service – their passkeys will be available wherever and whenever they need them.

As a founding member of the FIDO Alliance and a strong advocate for user security, PayPal is leading from the front as one of the first firms to offer passkey support. Our website and app offer customers in the US on supported devices and browsers a glimpse into a password-less future.

More regions and login channels will follow, because passkeys represent a fantastic opportunity to enhance security across the internet. That’s something both consumers and businesses should be excited about.

Learn more about PayPal and Passkeys.

Was this content helpful?

Related content

Sign up to stay informed

Share your email to receive the latest enterprise updates, top stories, and industry reports.

*Required fields

We use cookies to improve your experience on our site. May we use marketing cookies to show you personalized ads? Manage all cookies