The most important features of the passkey: It can force users to manage their credentials by the system

Passkeys are described as follows:

• Usage of local authentication such as biometrics and device-specific PINs.
• Resistance to phishing due to browser mediation.
• Credential management (on the RP side) without the risk of leakage, enabled by public key cryptography.

Yes, these are accurate descriptions of the features.

However, before comparing the differences between password authentication and passkeys using these features, it’s necessary to consider two types of password management from a user’s perspective.

- Human Memorized Password: Passwords are memorized by humans.
- System Managed Password: Passwords are managed by a browser, an operating system, or a dedicated application.

There’s a significant difference between these two.
The following threats of password authentication are known:

A. Using guessable passwords, shared across multiple services.
B. The leakage of decryptable passwords from the service managing them, or analysis by offline attacks.
C. Phishing attacks.

Human Memorized Password are well-known to be very vulnerable to Threat A and C.
System Managed Password can securely handle Threat A. Regarding Threat C, it’s safer as password managers reference passwords that match the service domain or origin, but it can’t be said to fully accommodate because users can manually check and input the password string.
Threat B depends on the implementation of the service side.

Currently, two-factor authentication, two-step verification are widely used, and additional authentication such as OTP authentication by SMS/Email, TOTP, and push notifications to authentication apps are used, but the purpose is to protect Human Managed Password user.
It could be said that it’s quite safe for users who use System Managed Password that can generate long, hard-to-guess passwords, excluding service side management mistakes.
However, the most important and regrettable point in this article is that “in password authentication, the service cannot force users to use System Managed Password.”
You can encourage the use of System Managed Passwords by using so-called Autofill mechanisms, but enforcement is impossible. Even if you can effectively exclude Human Managed Password by making available character types, number of characters for passwords strict, users who can’t use, or do not want to use System Managed Password, will likely disengage.

In contrast, Passkeys have been determined from the start to have the Authenticator/Passkey Provider generate and manage the secret key/public key pair. (Or rather, human species doesn’t have the specs to realize Human Memorized Passkeys)
In other words, “Passkeys are a system that can force users to let the System manage their credentials.”

There are not many differences between System Managed Passwords and Passkeys.

- System Managed Passwords use symmetric key cryptography, while Passkeys use public key cryptography.
- When authentication is required through Passkeys (or more accurately, when User Verification is required), local authentication is performed.
- You can’t manually skip the domain/origin determination during authentication mediated by browsers, etc.

By using public key cryptography, it mitigates Threat B of password authentication, and the lack of a user’s manual domain/origin check evasion strategy enhances phishing resistance, reducing Threat C.

Finally, let’s consider the UX.
In a Safari environment using Autofill, both System Managed Password and Passkeys require local authentication when choosing credentials at login.
However, Passkeys require local authentication at registration, and there may still be challenges in re-authentication UX too.
While I think the UX of Passkeys will improve in the future, at this point in time, there are aspects where System Managed Passwords are superior in UX.

Conclusion

- In password authentication, we divided the management method of passwords into two types, Human Memorized Password and System Managed Password, and made a comparison.
- The challenges we perceive in password authentication primarily involve Human Memorized Password, however, the service can’t enforce the use of System Managed Passwords on users.
- The differences between System Managed Passwords and Passkeys include the use of public key cryptography, and enhanced resistance to phishing due to restrictions on what users can do. However, the most distinct feature is that Passkeys can enforce the use of System Managed Passkeys.

In order to promote the use of passkeys, it’s incredibly important to carefully consider how we approach users who are not yet accustomed to having their credentials managed by the system. Additionally, thorough support (such as using Hybrid Transport or falling back on different authentication methods) is crucial when using passkeys on devices that do not synchronize with the system.