Is password still needed when using Passkeys?

Question

Both Apple and Google have demonstrated Passkeys at their developer conferences (Google I/O and Apple WWDC 2022), and Microsoft is also on board. Being able to transfer passkeys from device to device removes a major limitation of FIDO2/WebAuthn and will likely be the breakthrough.

However, in their presentations both Apple and Google demonstrated the passkey setup on top of an account with username and password. Once the passkey was created, login was possible without password.

• Does Passkey really require an existing account with password?
• Or is this just temporarily needed for account setup?
• Or can a user register a new account with just username and passkey and really go password-less?

Answer 1

You don't need passwords when going with the passkeys approach. Generally, you can use out-of-the-box solutions for passkeys, as passkeys.com for example

Answer 2

Passkeys does requires an account. However, it doesn’t require a password because biometrics is used in authentication. I added passkeys to my site using OwnID API https://youtu.be/DAJHaUbHs44

Answer 3

An authentication is the process of checking who you are when you talk to the service. The authentication typically is bound to the user's identity. Such identity is mostly verified during onboarding process and you register some credentials (authenticators) for future identification and authentication. Typical identity proofing (and verification) process requires some complex couple of steps.

In this case, you might leverage a password as an authenticator and others. It's up to your choice. So, even without supporting the passkey, you can entirely remove the password if there is any fallback authenticators.

Since the password is very easy to deploy and universal way of authentication, most of the service providers are now relying on the password and they are the root cause of the most of security breaches.

Passkeys are the alternative way for the users to authenticate themselves to the services with possession factor and it tries to be universal by synchronized the credential across user's devices.

Answer 4

Great questions – we've been working on finding good answers since WebAuthn Platform Authenticators (and now passkeys) have been announced.

tl;dr:

• Passkeys do not require a password; passkeys and passwords can coexist, but do not require each other
• Passwordless accounts that are protected only by one ore more passkey(s) are the clear goal and will become a reality once passkeys are fully supported on all platforms

BUT you have to take into account what your average user knows about authentication and what they expect when they want to create an account or login to your app or website.

We frequently hear from users as well as service providers things like:

• "How can my account be secure if I don't need to enter a password??"
• "I don't want this website to see my fingerprint" (which of course will never happen, but is still the #1 user concern with WebAuthn)
• "I lost my phone (and therefore my passkeys) and want to sign in, where can I enter my password?"
• "I'm still on Windows 7 and can't use passkeys"

Ultimately, it would just not be a good idea to offer only passkey-based authentication for any production login today. In a few years things will look different, but for now the only sensible approach is to offer a regular login with a passkey alternative (on supported devices). Slowly, users will get to know the technology and the term passkey from the big account providers (Apple, Google, MS, Amazon, ...) and the typical username/password login form will be degraded to a fallback/recovery method and hopefully be completely gone someday.