Beyond passwords: Navigating the transition to passkeys

The era of traditional passwords is giving way to the promise of passkeys, an innovative passwordless login solution. Passkeys offer financial institutions an opportunity to simplify and strengthen their authentication practices, striking a balance between security and convenience. According to PSCU’s 2023 Eye on Payments study, 59% of credit union members are more worried about fraud given the continued shift to digital channels and platforms like online banking and mobile apps. As we anticipate a future where easily compromised, standard passwords are no longer acceptable, credit unions should proactively prepare to leverage the potential of passkeys to provide members with fast, seamless authentication experiences that offer peace of mind through enhanced protection against evolving fraud threats.

Traditional passwords’ pitfalls

In the past, when creating or updating online passwords, most users have likely encountered complex requirements. These may include using numbers, special symbols, a minimum character count, uppercase and lowercase letters … and any combination thereof. While these rules aim to enhance the security of standard passwords, they often result in frustration and fraud risk instead. Remembering various complicated passwords can be a hassle, leading users to resort to writing them down or saving them on devices. If you have the unadvised habit of reusing the same password across multiple sites and apps, you are not alone. A recent survey by Pew Research Center reveals nearly seven out of ten consumers feel overwhelmed by the number of passwords they have to keep track of and 45% feel anxious about whether or not their passwords are strong enough. Another common pain point is being locked out of an account due to incorrect password attempts, adding to the overall challenge of password management.

Conventional passwords not only create friction in the user experience, but are also susceptible to hacking by today’s cybercriminals. According to the FIDO (Fast IDentity Online) Alliance, a global consortium aimed at enhancing authentication technologies’ interoperability and reducing reliance on passwords, over 80% of data breaches can be attributed to password vulnerabilities. Despite efforts to enhance password security with measures like challenge questions, one-time passwords (OTPs) and authenticator apps, these knowledge-based methods are also targeted by phishing attacks. Moreover, these extra steps further inconvenience users and introduce their own risks.

Moving beyond knowledge-based authentication

Passkeys have emerged as an alternative to the challenges posed by standard passwords and knowledge-based authentication. They offer faster, easier and safer login experiences across a user’s devices. Passkeys are digital credentials that allow users to bypass passwords and instead use biometrics, like fingerprint or facial recognition, or a PIN on a device screen lock. Unlike passwords, passkeys protect against phishing attempts, because the user’s biometric information is never exposed to the website or app and remains securely stored on his or her personal device.

Many consumers already have access to this technology through biometrics on their phones or laptops, which they may currently use daily to unlock their devices. Adding to the convenience, users can sign in to a service on any of their devices using a passkey, regardless of where the credential is stored. For example, a passkey created on a mobile phone can be used to sign into a website on a laptop. Google, an early adopter of passkeys, reported that passkeys are 40% faster than passwords. This login solution facilitates the fast and frictionless experience today’s consumers expect.

Major players have already adopted passkeys, including Amazon, DocuSign, PayPal, Microsoft, Apple and Google, which made passkeys a default sign-in option on the platform last year. Additionally, a FIDO Alliance report found that consumer awareness of passkeys has increased from 39% in 2022 to 52% in 2023.

Passkeys solution integration

As industry adoption and consumer awareness grow, credit unions should proactively plan for a future where passkeys may become the new norm. Here are some key tips for evaluating passkeys and preparing for potential integration:

• Initiate discussions early on with your credit union’s security, risk and fraud prevention teams to ensure all stakeholders are aligned on the approach to implementing passkeys.
• Consider partnering with a fintech provider certified by the FIDO Alliance to ensure you are deploying passkeys that guarantee interoperability. The right provider can also conduct usability testing to ensure a smooth integration with the member experience, supporting functionality across various transaction scenarios.
• Anticipate the impact on both existing and new online banking/mobile app users. Prioritize solutions that offer flexibility, allowing members to choose between passkeys and traditional authentication methods. This inclusive approach ensures that members who may prefer more familiar methods are not alienated during the transition.
• Create a communication plan when you prepare to offer passkeys. Keep members informed by providing educational resources to guide them through the new authentication process, building trust in its security and convenience.

Now is the time for credit unions to start preparing for the transition away from conventional passwords and looking ahead to passkeys as an improved authentication standard. While passwords aren’t going away just yet, passkeys are leading the way forward, offering strong fraud protection and seamless authentication experiences. Credit unions are well-positioned to leverage this innovation and extend the advantages of passkeys to their members, further solidifying their role as trusted financial partners.