TL;DR: Why “Buy” Beats “Build”
Passkeys Deliver on Their Promise
Passkeys eliminate fraud and most importantly reduce user friction during sign-up and sign-in, driving engagement and retention.
Proper Implementation is Key
The benefits of passkeys are only realized when implemented correctly, ensuring a seamless user experience.
Building passkeys is Hard and Costly
Building passkeys on your own is extremely challenging. Each platform (browsers and OS) implements passkeys differently, requiring significant effort to bridge the gaps. Additionally, these platforms are constantly evolving, meaning you’ll need to stay on top of this, perform frequent regression testing and apply fixes regularly.
The Takeaway
Buying a turnkey solution from a specialized passkey provider accelerates your time-to-market, reduces risks and allows your team to focus on core business priorities while ensuring your passkeys deliver the intended value.
The Case for Passkeys: Transforming Authentication
Best-in-Class User Experience
Passkeys do more than just provide increased security; they drive engagement by removing the friction involved in signing up and signing in:
- Frictionless Sign-Up: Passkeys eliminate the need to create a password that meets complex rules.
- Fast Sign-In: Passkeys reduce sign-in time by 88.4% compared to the traditional password + MFA authentication.
- High Sign-In Success Rate: According to Microsoft, passkeys can result in a 98% sign-in success rate.
With passkeys, businesses can achieve the rare combination of security and simplicity that will drive engagement and retention.
Enhanced Security
Passkeys provide unparalleled security by eliminating the vulnerabilities inherent in traditional passwords:
- Phishing Resistant: Based on public key cryptography, passkeys render phishing attacks ineffective. A research from CVS health demonstrated that passkeys reduced mobile ATO fraud by 98%. In April 2024, NIST published a supplement stating that passkeys, if implemented correctly, are considered Authentication Assurance Level 2 (AAL2) compliant.
- No Credential Stuffing: 2023 IBM Cost of a Data Breach Report highlights an average breach cost of $4.45 million, much of which can be attributed to stolen credentials. Because passkeys are unique to each service, hackers cannot reuse stolen credentials across multiple platforms thus eliminating credential stuffing.
The Challenges of Building Passkeys In-House
Passkeys hold great promise but only if implemented correctly and properly maintained. This can be challenging if they are not a core focus of your business.
Technical Limitations
Passkeys can face technical challenges because of strict privacy standards they adhere to and the secure platforms where they operate.”
- Challenging Passkey Discovery: To protect user privacy, browsers do not allow websites to check if a passkey exists on a device. Synced passkeys complicate this further, often leading to scenarios where users are mistakenly prompted to sign in with a passkey that isn’t on their device or asked to use other factors despite a passkey being available. To ensure a better user experience, passkey authentication must be thoughtfully designed, leveraging side-channel information to guide these interactions effectively.
- Limited Diagnostic Clarity: Error messages for failed passkey authentications are intentionally vague to protect user privacy, making it difficult to determine the cause of failure — for example, whether it’s due to a biometric mismatch or user cancellation. This lack of clarity makes debugging authentication issues challenging and time-consuming. Similar to passkey discovery, leveraging side-channel information can help bridge the gaps left by insufficient error messaging.
Frequent Updates and Maintenance
- Platform Updates: Passkey technology evolves rapidly, with continuous updates to operating systems, browsers and password managers. Bugs in these platforms can cause passkeys to become temporarily unavailable, leading to user lockouts. These updates are beyond the relying party’s control, but their impact can be mitigated through proactive regression testing and timely fixes. To address these issues effectively, engineering teams must frequently run thousands of test cases, requiring significant resource dedication.
- FIDO Standards Compliance: Passkeys are built on the FIDO2 standard and rely on implementation specifications like WebAuthn, both of which are frequently updated. Ensuring compliance requires ongoing maintenance, testing and resource allocation to keep up with these evolving standards and ensure a seamless user experience.
Cost and Resource Demands
Building and maintaining passkeys in-house requires substantial time, effort and expertise:
- Development Time: Creating a basic passkey system takes months, but addressing edge cases and resolving user experience challenges from imperfect implementations can take years.
- Specialized Talent: Passkeys demand hard-to-find expertise in both security principles and user experience design. Additionally, their implementation requires platform-specific development skills due to varying functionality across iOS, Android and web environments.
- Long-Term Maintenance: Ongoing monitoring, frequent updates and bug fixes quickly escalate costs. Managing synthetic testing and ensuring compatibility with evolving platforms place a heavy burden on engineering teams, often pulling resources away from core business priorities.
Proper Implementation is Key
The true value of passkeys lies in their ability to eliminate fraud prevention and a frictionless user experience. Poor implementation, however, risks:
- User Confusion: Misaligned user flows frustrate users, undermining adoption.
- Missed Business Opportunities: Failure to optimize for ease of use and security can hurt engagement and retention.
- Security Gaps: Incomplete or incorrect implementations can introduce vulnerabilities.
Ensuring proper implementation is essential to reap the benefits of passkeys.
About LoginID
At LoginID, we provide a turnkey solution for passkeys, eliminating the complexity so you can focus on your core business. Our solution saves you from dedicating resources to building and maintaining passkeys as the technology evolves.
We offer flexible deployment options, including SaaS and on-premise software licensing. Our on-premise model features flat-rate pricing, reducing your effective cost per user as adoption grows.
With LoginID, you gain a trusted partner to accelerate time-to-market and deliver seamless, secure authentication experiences.
This blog was originally posted at Passkeys for Execs and Decision Makers. For more blogs, please visit our content hub. To join the LoginID community, simply register on our developer forum and explore the topics of passkey development.
