{"id":1869,"date":"2025-03-13T13:33:26","date_gmt":"2025-03-13T13:33:26","guid":{"rendered":"https:\/\/discovery.cevolution.co.uk\/ciam\/?p=1869"},"modified":"2025-10-28T11:05:20","modified_gmt":"2025-10-28T11:05:20","slug":"passkeys-and-their-role-in-customer-identity-and-access-management","status":"publish","type":"post","link":"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/13\/passkeys-and-their-role-in-customer-identity-and-access-management\/","title":{"rendered":"Passkeys and Their Role in Customer Identity &amp; Access Management"},"content":{"rendered":"<span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time: <\/span> <span class=\"rt-time\"> 4<\/span> <span class=\"rt-label rt-postfix\">minutes<\/span><\/span>\n<p>In an ever-evolving digital landscape, security and ease of access are two of the most important concerns for both B2C and B2B SaaS application builders and customers alike. As traditional password-based authentication continues to show vulnerability, innovative alternatives are being sought to provide more secure, seamless, and user-friendly solutions.<\/p>\n\n\n\n<p>Arguably, when it comes to user authentication \u2014 i.e. <span class=\"popup-trigger popmake-1437\" data-popup-id=\"1437\" data-do-default=\"0\">Login<\/span> \u2014 and user registration, passwords are still the most common method for securing access to SaaS applications. However, as highlighted in a recent article, vendor momentum towards a passwordless society continues to build, with Passkeys playing a central role:<\/p>\n\n\n\n<div class=\"wp-block-group has-text-align-center has-global-padding is-layout-constrained wp-container-core-group-is-layout-7db9d80f wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<iframe loading=\"lazy\" src=\"https:\/\/www.linkedin.com\/embed\/feed\/update\/urn:li:share:7323960078301024257\" height=\"683\" width=\"85%\" frameborder=\"0\" allowfullscreen=\"\" title=\"Embedded post\"><\/iframe>\n<\/div>\n\n\n\n<p>I&#8217;m <span class=\"popup-trigger popmake-378\" data-popup-id=\"378\" data-do-default=\"0\">Peter Fernandez<\/span>, and in this article, I&#8217;m going to be talking about <strong>Passkeys<\/strong> \u2014 the next-generation innovative authentication method, based on the <span class=\"popup-trigger popmake-1847\" data-popup-id=\"1847\" data-do-default=\"0\">WebAuthn<\/span> standard, that&#8217;s poised to play a transformative role in Customer Identity and Access Management (<span class=\"popup-trigger popmake-1185\" data-popup-id=\"1185\" data-do-default=\"0\">CIAM<\/span>).<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"what-are-passkeys\">What are Passkeys?<\/h2>\n\n\n<p>Passkeys represent the future of authentication, offering businesses and users a more secure, user-friendly, and privacy-respecting method of logging in. By replacing traditional passwords with cryptographic keys, passkeys address many of the vulnerabilities that have plagued password-based systems for years.<\/p>\n\n\n\n<p>As organisations continue to adopt passwordless authentication, passkeys are expected to become a standard component of CIAM integrations, paving the way for a more secure and efficient digital ecosystem.<\/p>\n\n\n\n<p>Passkeys are a passwordless authentication method that employs cryptographic key techniques to authenticate users securely. Unlike traditional passwords, Passkeys do not rely on something a user knows (like a password) but instead utilise a pair of cryptographic keys \u2014 one public and one private \u2014 to verify the user&#8217;s identity.<\/p>\n\n\n\n<p>The <strong>public key<\/strong> is stored on a server \u2014 typically an <span class=\"popup-trigger popmake-415\" data-popup-id=\"415\" data-do-default=\"0\">IdP<\/span> \u2014 while the <strong>private key<\/strong> is securely stored on the user\u2019s device. The key pair works together to authenticate a user by performing cryptographic operations; the private key is used to sign a challenge issued by the server, and the server verifies the signature using the public key. This process ensures that only the rightful user, with access to the private key, can successfully authenticate.<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"how-do-passkeys-work\">How Do Passkeys Work?<\/h2>\n\n\n<p>Because Passkeys function based on public key cryptography, no password is required, ultimately resulting in a process more secure than traditional password-based authentication.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>User Registration:<\/strong> When a user first registers in a <span class=\"popup-trigger popmake-1354 \" data-popup-id=\"1354\" data-do-default=\"0\">B2C<\/span>\/<span class=\"popup-trigger popmake-418 \" data-popup-id=\"418\" data-do-default=\"0\">B2B<\/span> SaaS context, their device creates a new key pair (public and private keys). The public key is sent to the service&#8217;s server and stored securely, while the private key remains on the user\u2019s device, protected by hardware-based security mechanisms (e.g., the Secure Enclave on Apple devices or the Trusted Platform Module on Android and Windows devices).<\/li>\n\n\n\n<li><strong>Authentication:<\/strong> When the user attempts to log in, typically via the <span class=\"popup-trigger popmake-2946 \" data-popup-id=\"2946\" data-do-default=\"0\">SaaS<\/span> application-independent <span class=\"popup-trigger popmake-415\" data-popup-id=\"415\" data-do-default=\"0\">IdP<\/span>, a challenge is sent to the user\u2019s device. The device signs this challenge using the private key, with the signed response being sent back to the IdP for verification.<\/li>\n\n\n\n<li><strong>Verification:<\/strong> The <span class=\"popup-trigger popmake-415 \" data-popup-id=\"415\" data-do-default=\"0\">IdP<\/span> uses the stored public key to verify the signed challenge, and if successful, the user is effectively authenticated. Since the private key is never transmitted over the network, this process is immune to man-in-the-middle attacks and phishing attempts.<\/li>\n<\/ul>\n\n\n<h2 class=\"wp-block-heading\" id=\"enhanced-security\">Enhanced Security<\/h2>\n\n\n<p>The most significant advantage of using Passkeys as part of a CIAM integration is the level of security they provide. Passwords are inherently vulnerable to a variety of attacks, such as brute force, dictionary attacks, and phishing. Since Passkeys eliminate the need for passwords altogether, the security risks associated with passwords and password management are mitigated.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Phishing Resistance:<\/strong> Since the private key never leaves the user\u2019s device, attackers cannot steal it via phishing. Even if a user is tricked into visiting a malicious website, they cannot be coerced into revealing their private key.<\/li>\n\n\n\n<li><strong>No Password Storage:<\/strong> Traditional password-based systems require storing passwords in a database, making them a target for data breaches. Passkey-based systems store only public keys, which are useless without the private key.<\/li>\n\n\n\n<li><strong>Stronger Encryption:<\/strong> Public key cryptography, which underpins Passkeys, provides a higher level of security compared to traditional password hashes. It is far more resistant to brute-force attacks and other cryptographic vulnerabilities.<\/li>\n<\/ul>\n\n\n\n<p>Enhancing security by eliminating the risks of password theft, phishing, and brute-force attacks offers not only an improved user experience but also provides for <a href=\"#improved-compliance\">improved compliance<\/a> and <a href=\"#customer-trust\">greater customer trust<\/a>.<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"improved-user-experience\">Improved User Experience<\/h2>\n\n\n<p>From a user perspective, Passkeys provide a seamless and frictionless authentication experience. Traditional password-based systems can be cumbersome, requiring users to remember complex passwords or reset forgotten ones. With Passkeys, users no longer need to manage passwords, which enhances convenience and reduces the likelihood of password fatigue.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>No Passwords to Remember:<\/strong> Users don\u2019t have to remember or reset passwords. Authentication is as simple as unlocking their device, such as using Face ID, Touch ID, or a PIN-based process.<\/li>\n\n\n\n<li><strong>Cross-Platform Compatibility:<\/strong> Passkeys are supported across different devices and platforms. For example, a user can authenticate on their smartphone using Face ID and then switch to a laptop without needing to re-enter a password.<\/li>\n\n\n\n<li><strong>Faster Login:<\/strong> The authentication process is faster, as users don\u2019t need to manually input credentials or wait for verification codes.<\/li>\n<\/ul>\n\n\n<h2 class=\"wp-block-heading\" id=\"increased-adoption-of-mfa\">Increased Adoption of MFA<\/h2>\n\n\n<p>CIAM solutions often include Multi-factor Authentication (<span class=\"popup-trigger popmake-428\" data-popup-id=\"428\" data-do-default=\"0\">MFA<\/span>) to add an additional layer of security. With Passkeys, MFA is seamlessly integrated into the authentication process. Since Passkeys often rely on biometric authentication (such as Face ID or Touch ID), the device itself acts as a second factor for authentication.<\/p>\n\n\n\n<p>This built-in MFA feature helps organisations achieve a higher level of security, incorporating the paradigms of something you are and something you own, without requiring users to set up and manage separate authentication methods. You can discover more about the various factors involved as part of MFA by reading my article entitled<\/p>\n\n\n\n<div class=\"wp-block-group is-content-justification-center is-nowrap is-layout-flex wp-container-core-group-is-layout-23441af8 wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-discover-ciam wp-block-embed-discover-ciam\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"OyJo8Qleta\"><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/04\/factoring-mfa-into-the-equation\/\">Factoring MFA into the Equation<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; visibility: hidden;\" title=\"&#8220;Factoring MFA into the Equation&#8221; &#8212; Discover CIAM\" src=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/04\/factoring-mfa-into-the-equation\/embed\/#?secret=Pu17XB5oDM#?secret=OyJo8Qleta\" data-secret=\"OyJo8Qleta\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\" id=\"scalability-and-cost-efficiency\">Scalability and Cost Efficiency<\/h2>\n\n\n<p>As organisations scale and serve more customers, managing authentication systems becomes more complex. Passkeys provide a scalable and cost-effective approach for B2C and B2B SaaS solution vendors. Since passkeys eliminate the need for managing password databases, businesses can reduce the costs and risks associated with password storage and reset processes.<\/p>\n\n\n\n<p>Additionally, passkeys offer a more streamlined approach to handling identity management, which reduces friction for users while maintaining strong security protocols.<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"privacy-benefits\">Privacy Benefits<\/h2>\n\n\n<p>Privacy is a significant concern in the digital age, and Passkeys offer benefits over traditional password-based systems as the cryptographic keys used for authentication do not expose any sensitive data to third parties.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Data Minimisation:<\/strong> Since only public keys are stored on the server, and private keys remain on the user\u2019s device, there is less personal data at risk in case of a security breach.<\/li>\n\n\n\n<li><strong>No Password Database<\/strong>: Passkeys eliminate this point of vulnerability because there is no centralised repository of passwords that could be targeted by hackers.<\/li>\n<\/ul>\n\n\n<h2 class=\"wp-block-heading\" id=\"improved-compliance\">Improved Compliance<\/h2>\n\n\n<p>Many industries require strong data protection measures. Passkeys provide a level of security that helps businesses meet regulatory requirements, such as GDPR, HIPAA, and PCI DSS.<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"customer-trust\">Enhanced Customer Trust<\/h2>\n\n\n<p>By adopting modern and secure authentication methods, businesses can build trust with customers, as well as show that they take the security of Customer Identity and Access Management seriously.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Passkeys represent the future of authentication, offering businesses and users a more secure, user-friendly, and privacy-respecting method of logging in. By replacing traditional passwords with cryptographic keys, passkeys address many of the vulnerabilities that have plagued password-based systems for years.<\/p>\n","protected":false},"author":1,"featured_media":1876,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"authenticate":"","authentication":"","authenticatedMethod":"","authenticatedMember":"","authorizedPermissions":[],"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_links_to":"","_links_to_target":""},"categories":[14],"tags":[35,37],"class_list":["post-1869","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-authentication","tag-passkeys","tag-passkeysinciam"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/03\/13133309\/create-a-featured-image-that-visually-represents-the-concept-of.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/posts\/1869","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/comments?post=1869"}],"version-history":[{"count":12,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/posts\/1869\/revisions"}],"predecessor-version":[{"id":3455,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/posts\/1869\/revisions\/3455"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/media\/1876"}],"wp:attachment":[{"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/media?parent=1869"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/categories?post=1869"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/tags?post=1869"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}