Speaking at WebSummit Rio, Matias Woloski and Damian Schenkelman of AuthO / Okta, explain how Passkeys and Verifiable Credentials will usher in this new passwordless age.
Frictionless Digital Business
To set the scene Damian walks through a hypothetical demo, a use case of purchasing airline tickets, to highlight how the future of Identity will transform digital business processes.
Primarily this demonstrates the use of Passkeys, and how it can streamline the account creation / e-commerce workflows. Critically he explains this is not part of the application functionality but instead exists on the Android phone, as part of the Google Password Manager app, where the user provides a fingerprint authentication.
He then shows how the airline achieves a ‘KYC’ (Know Your Customer) requirement through the phone sharing Verified Credentials, that have been issued by an official government authority. Damian envisages a future of a single digital wallet that stores all of a user’s Passkeys and Verified Credentials.
From 3m:05s Matias moves on to exploring the technology evolution that is making this scenario possible.
He describes the history of passwords and how they have provided an Internet building block but fundamentally aren’t scalable for the modern era. In 2016 a first standard was developed to address this: WebAuthN. However this proved effective only for enterprise environments where a physical key mechanism was required and available, such as a USB key, and wasn’t really suitable for consumers.
So a new iteration was developed by the FIDO Alliance call ‘Passkeys‘, which has been adopted by major vendors such as Google, Apple and Microsoft.
The key feature of this approach, as Damian demonstrated, was that your phone becomes the physical holder of the key. It is stored in online services like iCloud or Google Drive, so that it can be synchronized across all of your devices, such as laptop or iPad.
Passkeys offer a new paradigm for identity security, where they are:
- Phishing resistant.
- Not breachable.
- Segregated per website.
At 6m:35s Matias then explains the second key technology innovation: Verifiable Credentials.
VCs are cryptographically verifiable user attributes (JSON) that signed with a private key. For example a university can provide an assured record of employment, which they generate and issue and the user then stores in their digital wallet. When it is supplied to an online process, such as the ticketing example, it can be verified.
Again this technology provides foundations for a new level of Internet trust:
From 8m:50s they switch back to Damian who explores the challenges this new paradigm faces going forward.
Fundamentally the core of this is that this is a new innovation, meaning it will take time and effort to work out the wrinkles and encourage large-scale adoption.
Currently Passkeys are ecosystem-specific: Your iPhone passkeys will synch across iCloud services meaning they will be available to relevant devices but not your Microsoft or Google Chrome laptop for example. It’s likely there will be developments that address this and make them universally accessible. The standards for Verifiable Credentials are currently very fast moving and not yet stable.
Similarly as a new technology user apprehension will be another adoption friction, as they are initially intimidated by and reluctant to use new, alien methods. Likewise it is also a new world for developers, who will have to create and modify their digital business systems to integrate into these new ecosystems.
In conclusion the principle of eliminating passwords is an utterly simple one, but the impact it will have across enterprise and e-commerce systems will be profound, ushering in a new era of digital experiences for users as significant as the advent of the Internet itself.