Where are the Passkeys?

David Sparks, of MacSparky, is wondering where his passkeys are now that iOS 16 and macOS Ventura are out.

With Apple’s latest round of updates, we’ve got a new password feature that lets your computer manage passwords for you in the background. … I’m curious, however, as to when Passkey websites will start showing up. So far, I’ve seen none. For this to work, websites must adopt some new backend technologies, and everyone is now waiting for that to happen. Are website developers untrusting of the new technology? Do they want to see others figure it out first? Do they need the budget for these changes? I expect it is all of the above.

I don’t think developers as a whole are distrusting or in need of inspiration when it comes to implementing passkeys (aka WebAuthn), but there are good reasons why we didn’t see the market flooded with passkey announcements.

Here are my theories speaking as both a developer, and someone who is responsible for a product pipeline:

1. Security is hard and should be adopted slowly.

Every app has password authentication code, and rarely does anyone want to mess with it if it’s working and secure and that’s a good thing. Security should move slowly so it’s been vetted and is ready to go before it’s out there in the world protecting your banking account.

That’s not to say that PassKeys / WebAuthn is some new bleeding edge tech. It’s not. In fact how it works is very familiar to developers who use SSH keys, but the web or app implementations are new and it’s good that no one is rushing it.

2. Waiting on libraries and browser support.

It sucks to release a feature that isn’t supported everywhere. It’s huge that Apple has gone all in on this, but they aren’t the only player and there needs to be some catch up with other browsers, platforms, and apps for things like passkey synching.

Same with web and app libraries that developers use to implement technologies like this. Libraries are important as you can’t expect every small app or web site to write their own implementation. There are some WebAuthn libraries, actually there are a ton, but once the community rallies around one or more of them and polishes them to the point where implementation is easier you’ll see adoption rise.

3. It doesn’t replace legacy password code.

Let’s say you and your development team spend some time and implement a fantastic implementation of PassKeys for your app. Can you get rid of the old password code? No because of people with legacy accounts…or because some people don’t want to use PassKeys…or even more people have never heard of PassKeys. That means you need to have the old password code, and the new PassKey code, along with a new flow so that users can use either route, and probably some UI to explain PassKeys, oh and you’ll need a path to convert a password user to a PassKey user. Anything else? Probably!

The point is that PassKeys are additive for every app out there and that means even more work and more support than just adding PassKeys.

4. It’s the end of the year.

PassKeys are cool, but do you know what’s cooler? That feature that your users are dying for that might make you more money. PassKeys aren’t going to the the focus because of all the other reasons above, but especially because right now the devs are crunching to the new feature that someone wants out “by the end of the year”.

–

Don’t worry, David. PassKeys and WebAuthn are coming, but it’s going to be slow and that’s a good thing for everyone.