TNS
VOXPOP
Where are you using WebAssembly?
Wasm promises to let developers build once and run anywhere. Are you using it yet?
At work, for production apps
0%
At work, but not for production apps
0%
I don’t use WebAssembly but expect to when the technology matures
0%
I have no plans to use WebAssembly
0%
No plans and I get mad whenever I see the buzzword
0%
Security / Software Development

Stytch Takes the Hassle out of Passkey Authentication

Added security, as well as better user experience, are moving passkeys to the front of the line of preferred authentication technologies.
Dec 5th, 2023 5:00am by
Featued image for: Stytch Takes the Hassle out of Passkey Authentication
Image from Summit Art Creations on Shutterstock.

Among the developments since the release of ChatGPT a year ago, generative AI has made phishing much more efficient for bad actors.

Security firm Darktrace earlier this year reported a 135% spike in social engineering attacks via email since the beginning of the year, noting an increase in the complexity and believability of these phishing campaigns as well. There are fewer misspellings and language that more nearly matches the person they’re trying to emulate. It also can help attackers discern the most gullible from the least gullible in knowing who to target with these ploys.

The added security, as well as better user experience, are moving passkeys to the front of the line of preferred authentication technologies. Stytch CEO Reed McGinley-Stempel calls it “the first mainstream phishing-resistant authentication method.” It’s one Stytch, a startup focused on providing developers a “Stripe-like experience” for adding passwordless authentication to their applications, has just added.

Authentication across Devices

“Passkeys are a new take on FIDO2 authentication that makes it possible to use biometric authentication (a face scan or fingerprint) across devices. Many users are familiar with this experience from unlocking their phones. Because passkeys are backed up to the cloud, it’s easy to take your identity from one device to another. They’re also more resistant to phishing and credential stuffing attacks than passwords,” Okta’s Bhawna Singh explained in an earlier TNS article.

The technology is a rebranding for WebAuthn/FIDO2 credentials. You may know them as discoverable credentials, or resident credentials, Steven J. Vaughan-Nichols wrote in a story about GitHub’s beta adoption of passkeys.

Unlike SMS and email IDs, passkeys are unique, he wrote, and cannot be used to track a user’s activities across sites or platforms.

Google is using passkeys in Gmail; Shopify has made it the primary option for Shop Pay; WhatsApp has rolled out passkey support on Android; and Amazon has made passkeys available in browsers, with support for Android and iOS in the works.

Still, Andrew Shikiar, executive director and chief marketing officer of FIDO Alliance, has said that better developer tools are vital to the mass adoption of passkeys.

Simplifying Passkeys for Developers

For users, one of the passkey selling points is once they set up a passkey on one device, they don’t have to go through any other sign-in machinations, say between the phone and laptop or other device.

Reed McGinley-Stempel

Reed McGinley-Stempel

“It’s one of those things, I think, when people experience what it prevented, otherwise the friction that you normally go through, I think there’s gonna be a lot of enjoyment for users,” McGinley-Stempel said.

He stressed that it’s still a very new technology, and Stytch held off on offering it along with its API-first libraries and SDKs for multifactor authentication, single sign-on and other passwordless authentication offerings until passkeys gained more maturity in the industry.

Developers still face challenges such as architecting for multiple platforms, dealing with those platforms’ updates, handling account recovery and lockout issues, configuring creation settings, and managing UI complexities like autofill and syncing. Some existing passkey solutions tackle some of these challenges but severely restrict developers’ ability to customize authentication logic and user interfaces (UIs) in their apps. This can lead to security vulnerabilities and user frustration.

Stytch’s approach was to focus on the pitfalls developers might encounter when trying to integrate the technology in their applications with the standard directly.

“[Developers] want it to be easy to integrate. If they want to be able to handle edge cases. There are still worlds where you can lose all of your devices or your passkey, so account recovery matters a lot. And then they want to be able to integrate it the way they want into the application so that they can own the UX and design,” he said.

They can add passkeys to any application with one line of code, whether they’re using Stytch for other authentication or not, he said. It’s offered as frontend and mobile UI SDKs; a headless SDK to interact with the WebAuthn API while using your own UI components; and a direct API using Stytch’s core WebAuthn API.

It promises:

  • A seamless experience against all platform combinations.

“Passkeys are super exciting, they’re also still relatively new. So as a result, platform combinations can differ quite a bit in terms of how different device systems, OSeS, browsers and password managers all interact as different parties trying to manage and comply with passkeys,” he said.

“And so for example, Chrome may have a different way that they manage the passkey than Safari on Windows or Safari on iOS, and in Chrome on Android, and Firefox and Android … That’s one of the big issues we found is there are companies that have obviously integrated passkeys already, like DocuSign. … But the one problem is they clearly didn’t think about all these different platform permutations. So about, you know, 20 to 30% of the time, you can run into an edge case where their UI UX doesn’t anticipate correctly how that browser or that platform browser combination is going to work. …

“And so this is one of the big things where we just want to take this completely off developer’s plates. …They don’t want to have to think about all of these other permutations that they need to design their code around. So that’s one of the things that just comes out of the box.”

  • Account recovery and lockout fallbacks

Rather than force users who lose a device or accidentally delete a passkey to go through a manual customer-service hassle, it allows users to have another root of trust on the account. It can be configured as email as a primary root of trust, though some developers want that to be email plus another factor like SMS, a YubiKey, or something like that. And all of those are configurable with Stytch.

  • ‘Smart defaults’ for passkey configuration

“When [developers] start trying to integrate, the other thing that becomes really overwhelming is there’s tons of configuration optionality in terms of how you set it up for your end users. So what authenticator types should they use? What residency key requirements do I have? What user verification requirements do I have for you to create a passkey in order to prevent passkey squatting and other vulnerabilities? … We’ve kind of taken all that thinking off of the developer’s plate. They can always untoggle something and go to a different default. But we’ve [looked] at what is the most sane way that most application developers are going to want to default to using passkeys and … they can configure as needed if they have a better understanding of passkey for their use case,” McGinley-Stempel said.

  • Pre-built UI components

“The UI components and managing the front end of it can be quite complex, or it requires a lot more development time if you want to get right,” he said. So the prebuilt UI components make sure that assets are always discoverable, while still providing flexibility on how the user accesses the passkey, whether that’s with Touch ID, Face ID, a QR code, etc. “We handle all third-party password manager integrations to make sure that there’s no conflicts there.”

When Stytch was founded in 2020, it focused solely on passwordless authentication but found many companies weren’t ready to ditch passwords, for whatever reason. Today about half its clients are fully passwordless, while the other half use a combo of password and passwordless technologies, McGinley-Stempel said.

“I’ve never seen across the board, so much excitement from both those customers … for a technology like passkey. So it’s the most bullish I’ve been on a singular technology for accelerating the passwordless future,” he said.

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.