An important announcement came out this Monday from PayPal. Starting immediately PayPal customers can get rid of passwords and use their on-device authentication to checkout. This announcement has a significant impact on customer experience and customer security. PayPal is definitely leading this new passwordless era as one of the first in the financial and retail space to demonstrate innovation and superb customer experience.
NOTE: This recent news on PayPal is another important marker on the broad adoption of passwordless authentication from trusted brands. Citi – in partnership with Transmit Security – shared their story and learnings on rolling out FIDO2-based passwordless authentication to 200 million customers at this year’s Authenticate 2022.
So what did PayPal do? They’ve implemented the relatively new passkeys experience which allows customers to use the authentication method offered by their device instead of typing a password. For example, if a customer has an iPhone they could use FaceID® to authenticate. If a customer has a Mac® they could use TouchID® to authenticate. No need for passwords.
Passkeys are a more secure authenticator vs usernames and passwords. This method is resistant to phishing and social engineering attempts, as a hacker can’t steal a user’s login credentials to breach their account. This new login option from PayPal will roll out first to iPhone, iPad and Mac users on PayPal.com, with expanded support for other platforms over time.
We can actually look at three milestones in the evolution of passwordless authentication.
First came the interfaces that Apple® and Google® released for mobile OS’s and apps. These interfaces allow mobile apps to use on-device authentication to log into the app. On-device authentication refers to the authentication methods offered by the device; for example face recognition, fingerprint scanning or even passcodes. The difference here is that these authentication methods are implemented by the device, whether a phone, tablet, or computer and the device itself is responsible for authenticating the customer. The app is just leveraging this device capability.
The second milestone was the WebAuthn protocol which expanded this capability to web applications, not just mobile apps. So now websites that run in a browser could do the same as mobile apps and invoke the on-device authentication process. WebAuthn is a significant evolution as it allows online businesses to offer the same passwordless, on-device authentication experience across both mobile apps and websites.
The third milestone is the passkey. Passkey is the common term for multi-device FIDO credentials that were created by The FIDO Alliance to overcome a very specific limitation of WebAuthn. With WebAuthn, customers can register their device for passwordless authentication but as soon as they move to another device, they have to re-register the device again for passwordless. The registration process can be complicated and can create some friction.
Using passkeys, Apple, Google and Microsoft implemented a standard way to transfer authentication keys between the different devices of the same customer. For example:
Passwordless, and specifically FIDO standards, will continue to evolve.
At Transmit we’re working with some of the biggest financial institutions and retailers in the world on passwordless and passkeys projects. We definitely see a change from a year ago where just a handful of organizations were considering going full passwordless to today, where many are making the move. As a vendor that is consulting and helping the largest organizations in the world to implement their passwordless strategy, there are few areas we recommend you pay attention to:
Interested in learning more on how to run a successful passwordless project? You can start with this run-down from one of Transmit Security’s customers, Matt Nunn, Director, Global Head of Identity & Access Management Engineering for Citi or contact us. We’re helping teams across industries and across the globe take full advantage of passwordless authentication.