While Google, Microsoft and Apple roll out passwordless passkey functionality for their platforms, most people are still dependent on passwords.
Google last week started testing passkey support in Chrome and Android via the FIDO Alliance, the group behind passwordless sign-ins that use a smartphone’s sensors for biometric authentication. Apple in June announced passkey support for iOS and macOS using Face ID and Touch ID for logging into apps and websites. Passkeys are another step forwards.
Google said passkeys are much safer than passwords since they can’t be reused and don’t leak in server breaches. Android users can create and use passkeys that are synced through Google’s password manager while developers can use the WebAuthn API. The approach is only in testing at the moment, though.
But, even though the WebAuthn standard was finalized in 2019, passwords remain the most-used authentication method, according to the FIDO Alliance’s survey of 10,000 consumers in the UK, France, Germany, US, Australia, Singapore, Japan, South Korea, India and China.
Some 51% of users logged in with passwords to their online-banking accounts in the past 60 days, while 28% used a one-time passcode (OTP) sent to a mobile device, and 14% did so with a password manager. Other authentication factors used included apps like Google and Microsoft Authenticator, security keys like YubiKey and Google Titan, QR codes, a browser’s autofill feature, and just staying logged in to an account.
Still, the research found that entering passwords had dropped by 5% for financial services, 7% for work accounts, 8% for social media and streaming accounts, and 9% for smart home devices.
Passwords remain the dominant form of online authentication and cause major issues for people and businesses, FIDO said: “For example, 70% of people had to recover a password at least once in a given month. Service providers and retailers also were impacted, with 59% of people giving up on accessing online services in a given month and 43% abandoning purchases because they couldn’t remember their password.”
SMS OTP has long been considered insecure but it remains popular in financial services. Major German banks started moving away from it in 2019. Microsoft in 2020 said people should use app-based multi-factor authentication (MFA) over SMS. Staff at carriers can be duped into SIM swapping while SMS OTPs can be phished.
Meanwhile, password-spraying attacks relying on lists of millions of passwords leaked in the past decade, are on the rise, making MFA one of the most effective mitigations. But SMS MFA is low-hanging fruit for hackers now that MFA has become more widely adopted.
Yet, FIDO Alliance found that more service providers are using SMS OTPs. Users report SMS OTP usage is up across financial services, work accounts, social media, streaming accounts, and smart home devices.
The survey did find a high level of awareness about passkeys even though they’re a relatively new concept. On average across the markets, 39% of respondents were very or somewhat familiar with the idea of passkeys.