Let’s be honest. You’ve probably used the same password for all of your online accounts and apps for years. If you’re tech-savvy, you use a password manager that generates strong and secure passwords that are saved in the cloud.
But have you heard of or used a passkey? They essentially work the same way that most people do to unlock their phones with a numeric pin or facial recognition. And they’ve been well-established as incredibly secure and user-friendly. Tech giants like Amazon, Apple, Google, Meta and Microsoft have all benefited from instituting passkeys and industry associations have pushed to make passkeys the standard.
So why aren’t more people using them?
It’s likely because many companies think of passkeys as just a security upgrade. But they’re really a crucial user experience initiative – and it’s time to treat them as such by using a combination of consumer education, phased implementation, and tech readiness assessments to make adoption smoother for users and more manageable for developers.
Why passkey use isn’t widespread (yet)
No technology is a silver bullet in and of itself, but passkeys have proven to be a robust, easy-to–use option for authentication. But adoption isn’t ubiquitous (at least not yet) for a few key reasons:
- Low user awareness and misconceptions. Not everyone knows what passkeys are, and those who do may have misconceptions about what’s required to use them. Some people are hesitant to use passkeys because they think they require sharing biometrics like fingerprints or facial recognition with apps. But this isn’t true since biometric data never leaves the users’ device.
- Prone to deepfakes. As AI-generated deepfakes become more sophisticated and easier to weaponize, users worry that the perceived security of using facial recognition tied to passkeys can be bypassed by sophisticated cybercriminals (even though the level of effort required to do so is much higher than the level of effort required to steal passwords and other phishable credentials).
- Lost, stolen, and new devices. Since passkeys are tied to specific devices, if those devices are lost, stolen, or need to be replaced, users must recreate their passkeys to regain access to their accounts.
- Ecosystem lock-in. Companies like Apple and Google have tried to make the above scenario less painful by allowing users to sync passkeys across devices and back them up to their iCloud or Google accounts. However, this makes it difficult for users to switch platforms without losing or recreating all of their passkeys.
- Implementation challenges. On the developer side, passkeys require significant engineering effort to ensure interoperability across devices and platforms. When enterprises rely on devs to build passkeys in-house, any gaps or missteps that occur during the process can surface as user friction later on.
How companies can make passkey adoption easier
Companies need to lead users through passkey adoption versus waiting for it to happen organically. But ultimately, it should always be the user’s choice. Here’s how organizations can promote adoption and make implementation easier on devs.
- Guide (don’t force) adoption. Users might be prompted to set up passkeys upon making an account; if they choose not to, they can be reminded of the option again in a few weeks. Companies should also include “remind me later” or “don’t ask me again” options so users can enroll in passkeys at their own pace.
- Take a phased approach to implementation. Instead of going all in on passkeys right away, companies can conduct A/B tests that route a small portion of login traffic to a passkey-enabled flow and compare things like conversion and drop-off to their existing authentication flow. Taking a phased approach to passkey implementation minimizes internal resistance and ensures the technology works for users before scaling adoption.
- Educate users on the perks. Companies should continually educate users who haven’t yet adopted passkeys on the perks of doing so. This could include sharing the results of the aforementioned A/B tests in a blog, conducting an email awareness campaign dispelling common misconceptions about passkeys, or building popups that briefly explain the benefits of passkeys at the login screen.
- Assess developer readiness. Prior to adopting passkeys, companies must take a close look at their tech stack and their team’s expertise to determine whether they can realistically roll out and maintain passkeys in-house without stretching devs beyond their core responsibilities. Overburdening devs results in unnecessary complexity for end users, and can even hurt the company’s bottom line: As a recent study found, 37% of organizations report that dealing with customer authentication projects delayed their engineering and product roadmap.
Benefits outweigh the hurdles
It’s never been a more important time to implement passkeys.
Traditional authentication methods like passwords are failing; one report revealed that 59% percent of passwords can be breached in under an hour, and multi-factor authentication (MFA) methods like one-time passwords (OTPs) can easily be phished. This problem will only intensify as advances in AI make cracking passwords and creating ultra-convincing AI-generated phishing scams faster and easier.
Additionally, passkeys are a crucial differentiator for user experience. Consumers have more choice than ever when it comes to the apps they use, and a streamlined, secure login experience goes a long way in standing out in the marketplace and encouraging people to use an app.
The opinions expressed in Fortune.com commentary pieces are solely the views of their authors and do not necessarily reflect the opinions and beliefs of Fortune.
This story was originally featured on Fortune.com
