DEV Community: corbado

WebAuthn Cheat Sheet for Developers

corbado — Wed, 20 Mar 2024 19:32:41 +0000

WebAuthn and passkeys are the future of passwordless authentication.
Implementing passkeys requires good knowledge about the WebAuthn specification - which is everything else than user-friendly and can be tough to remember.

This cheat sheet contains everything you need to remember about WebAuthn & passkeys:

To read the full content of the cheat sheet, head over to the original article. But here's a preview of its content:

WebAuthn Ceremonies

Authentication with passkeys is based on the two processes, also called ceremonies, registration (aka the “attestation phase”) and login (aka the “assertion phase”).
Each phase requires a random challenge generated by the server, which is signed by the authenticator and sent back to the WebAuthn server to verify the user. 

Registration (attestation)

The registration ceremony uses two main objects: PublicKeyCredentialCreationOptions and attestation.
Former is created by the WebAuthn server and contains instructions and settings for the new credential , aswell as other relevant data. The latter is created by the authenticator and passed back to the server, including information about the newly created credential.
To see a full JSON example of both objects, check out the full article or cheat sheet.

Login (assertion)

The login ceremony uses two main objects: PublicKeyCredentialRequestOptions and assertion.
Former is created by the WebAuthn server and contains e.g. the cryptographic challenge for the authentication process. The latter is created by the authenticator and later passed back to the server, including the signed challenge to verify ownership over the private key.
To see a full JSON example of both objects, check out the full article or cheat sheet.

Conditional UI

Conditional UI improves the UX of passkeys by showing the user all of his available passkeys. This way he can choose a credential and doesn't even need to remember and type in his username.
The login flow with Conditional UI requires a few additional methods compared to the regular login ceremony:

Download the Cheat Sheet PDF or continue reading the original article for:

a detailed breakdown of all objects & attributes in WebAuthn
code examples to implement Conditional UI
a database schema and information for implementing the WebAuthn server

How to Launch a Dev Tool on Product Hunt

corbado — Tue, 27 Feb 2024 15:59:20 +0000

We launched Corbado on Product Hunt and reached #1 Developer Tool of the Week. Read about our learnings and tips on how to successfully launch Developer Tools on Product Hunt.

Check out the full blog on our website.

Corbado’s Launch

We’re Corbado, dedicated to make the internet a safer place by making websites and apps passwordless. Our product helps developers implement passkeys with just a few lines of code — allowing them to go passwordless in just one sprint.

On January 25 2024, we hit a significant milestone: Launching our Developer Tool on Product Hunt, we not only achieved the #4 product of the day but also topped the charts as the #1 Developer Tool of the week. Our launch resulted in 2x the traffic on our website and 4x the amount of usual daily signups on launch day and the few days after it.
A lot of time and effort went into preparing our launch and we learned many things, which we want to share in this blog post.

Why Launch your Dev Tool on Product Hunt?

For those who don’t know, here’s a quick explanation of Product Hunt:
It’s a unique platform where creators, so called “Makers,” showcase their products. Each product launch, or “Hunt,” lasts for 24 hours, during which the products compete against each other and are ranked by their number of upvotes and interactions.

Even though Dev Tools are the minority of products on Product Hunt, the list of benefits is convincing. To name a few:

1. New Customers: The platform is a hub for early adopters, tech enthusiasts, and professionals like developers and product managers -which you can convert to your (first) customers!‍
2. Diverse & Global Audience: Product Hunt’s mix of tech-savvy and non-technical members provides a unique opportunity to understand how your tool is perceived by a broader audience — everywhere around the globe.‍‍
3. Valuable Feedback: The community on product hunt is open-minded and positive towards all new tools & products — so you can expect valuable feedback for your product, landing page and other aspects.‍
4. Upgrade your Marketing Material: Launching on Product Hunt gives you a reason to finally create the nice and crisp visuals and product descriptions that your product deserves — material which you can use for launches in typical Dev Communities, too.‍‍
5. Prioritizing Features, SDKs & Integrations: Which frameworks do your potential customers use and what features are a must-have? Launching on product hunt is a great way to get answers on these questions and prioritizing on the right Development Tasks.‍
6. Framing your product: With Dev Tools you usually focus on features for developers and de-prioritize all the marketing fluff around it. However, these “soft factors” are important, too, and the sooner you optimize them the better.‍
7. SEO Boost: Launching on Product Hunt boosts your SEO through valuable backlinks, enhancing your website’s long-term visibility — of course this effect is greater the better your ranking is.

As you can see there are a lot of benefits — but a launch also needs to be well-prepared, so let’s dive into our recommendations for rocking your launch.

Tip #1: Choose the right Hunter

On Product Hunt, a “hunter” is the user that uploads your product. While you could do this yourself, it’s become a thing that users often hunt products on behalf of others.
Here’s what you should look out for in a Hunter:

‍1. Experience with Dev Tools: Look for hunters who either have a background in development or have a track record of successfully launching and marketing Developer Tools on Product Hunt. Their insights and experience are very valuable in preparing your launch materials, ensuring they resonate with the Product Hunt community.
2. Network within the Developer Community: A hunter’s network can greatly push your launch, which we’ve seen for example with our hunter Florent Merian (fmerian on Product Hunt). He is not only seasoned in hunting Developer Tools but also co-manages the Developer Marketing Community on Slack, which he can leverage for your launch.

Tip #2: Decide on a Launch Strategy

Deciding your launch date and understanding your target group might seem easy at first, but these factors significantly impact your overall strategy and the success of your launch. Before anything you need to decide on your main goal for the launch.

Choose your Launch Goal

You should choose one or a few of these primary goals:

Becoming #1 Product of the Day
Maximum number of user signups
Receive a lot of valuable feedback
Improve your SEO with new mentions

While #1 Product of the Day is all about understanding and playing the Product Hunt “Game” on the platform, other goals like the signups require more focus on converting the users with a good website. It’s tough to decide on one of these — but trust us, it will help you down the line in the many small decisions that are awaiting you.

Choose your Launch Date

Traffic on Product Hunt varies throughout the week. Typically, Tuesday to Thursday see the highest user traffic. Launching on these days means maximum exposure but also tougher competition. It’s challenging to make it to the top on these days due to more established companies choosing the same window for their launches.
In contrast, Friday to Monday is quieter, with fewer users but also less competition on the platform. These days might offer a better chance to become the product of the day or to ensure your product doesn’t get overlooked.

For our launch of Corbado, we aimed for high traffic and exposure and chose Thursday, the busiest day of the week. A useful tool to check out is hunted.space to see the number of products and total upvotes for each day.

Understanding Product Hunter’s User Types

On Product Hunt, users generally fall into two categories:
1. Developers and Techies: These are your primary target customers and prefer straightforward content that highlights your tool’s USPs over marketing BS.
Unfortunately, they make up a minority of the Product Hunt community.
2. Non-Techies: These are mostly investors, product managers, or other business-oriented users. If your content is overly technical, these users might find it inaccessible or irrelevant. However, their support is crucial for ranking higher on Product Hunt since these are the majority of users.
The key challenge of launching a Dev Tool is to create a product page that appeals to both groups — oftentimes it’s just impossible to perfectly target both. Therefore, you need to decide which group is more important for your specific launch goals.

Tip #3 Optimize your Launch Page

Tailoring everything to your target group is crucial and directly follows the decision you made about your audience in the previous step. The key to a successful launch lies in how you craft your profile, including the headline, description, visuals, and maker’s comment. These elements should not only be catchy but also informative, reflecting who you are targeting.

For our Corbado launch, we chose a balanced approach. We created visuals and headlines designed to catch the attention of all users but made it abundantly clear in our description and maker’s comment that our product was specifically designed for Developers.

Want to know what to consider in your visuals and write in your Maker comment? Or how you should optimize your website and leverage the Product Hunt Community?

Continue reading the full blog to find answers to these questions.

F'*!# Passwords. Get Passkeys! Corbado is Now Live on Product Hunt 🚀

corbado — Thu, 25 Jan 2024 09:34:13 +0000

We're thrilled to announce that Corbado is LIVE on Product Hunt and you can support us now:

🎉 Visit our Launch Page

Our Story

I'm Vincent, software engineer and co-founder of Corbado. We're a small team based in Munich, Germany, who all are annoyed by passwords.

💩 Everyone Hates Passwords

During projects in the past, we often came across implementing password-based authentication (mostly with OAuth2 – ughh reading and understanding these standards. It took us ages to implement it properly).
Also, as a user, we simply HATED passwords (even though we had a password manager) when logging into our favorite SaaS tools or e-commerce websites.

Then, we discovered passwordless authentication - and fell in love with passkeys (Never heard of passkeys? Check out this example).

Passkeys are like a drug.

Once experienced, you never want to go back to passwords - it is so much simpler and faster.

🚩Problem: Implementing Passkeys is Hard

When integrating passkeys into apps, we noticed that it's far more complex than originally expected.

💻 Not All Devices are Passkey-Ready: You need to deal with different browser-operating system combinations where not all are passkey-ready.
📲 Unsolved Cross-Platform / -Device Issues: As passkeys only partially sync across platforms and devices, you need to come up with solutions for edge cases.
🆘 Recovery & Fallbacks are Cumbersome: Implementing fallbacks and integrations to other login methods (e.g. passwords, email magic links, OTPs, social logins, SSO) are required.
📝 Complex Specs & Lack of Examples: The WebAuthn specification (on which passkeys are based on) is really complex to understand and breaks with many coding paradigms devs are used to. Besides, due to the novelty of passkeys, there's not much developer-friendly documentation and code examples.
🖼️ No Standard for Passkey UX: Rolling out passkeys to users requires deeper UX understanding and users need to be educated (a task that is often neglected.

🔑 Solution: Passkeys-as-a-Service

To help developers add passkeys easily to their new and existing apps we started Corbado. We build components, SDKs and APIs to eliminate all of the heavy lifting above. By signing up for Corbado for free, you can expect to:

📈 Increase your sign-up and conversion rates
😊 Make your users happier with better login UX
⌛ Reduce Password Resets
📉 Lower your SMS OTP costs
🔐 Introduce "Invisible MFA" for passkey users (+ preventing password-based attacks)

✅ How? Integrate with a Few Lines of Code

We have simple integrations. You just drop in our components with a few lines of code and let us handle everything else in the background.

💻 Frontend: React Component, Vanilla JavaScript Component, Web Component for Angular, Vue.js, Next.js, Nuxt.js, Svelte
📦 Backend: Node.js SDK, PHP SDK, Golang SDK, REST API for all other languages
📱 Native: Flutter passkeys package

🧑‍💻 For Developers and Product Managers

Developers who build apps and want to get passwordless auth done in 1 sprint
Product managers trying to upgrade their UX flows and boost conversion

🌈 Let’s make the Internet a safer place together, so get your free community plan to implement passkeys!

Visit our Launch Page to provide valuable feedback and support our Launch!

Also you can check out our website to see passkeys in action and implement them for free: www.corbado.com

CAPTCHA vs. Passkeys: Can passkeys be a better solution?

corbado — Thu, 30 Nov 2023 14:31:56 +0000

Many online users hate CAPTCHAs. Originally designed as a simple test to distinguish humans from bots, they’ve evolved into complex and often frustrating challenges. This blog examines the increasing complications of CAPTCHAs and explores whether passkeys could offer a more user-friendly alternative.

Drawbacks of CAPTCHAs

CAPTCHAs, short for “Completely Automated Public Turing Test to Tell Computers and Humans Apart,” are essential for internet security but come with significant drawbacks.
For users, they’re often time-consuming and annoying, especially challenging for visually impaired individuals. Businesses face conversion rate drops and GDPR compliance issues, while bots increasingly are able to pass these tests.

Alternatives to CAPTCHA

The quest for effective and user-friendly bot prevention methods has led to several alternatives, each with its unique approach:

Cloudflare’s Turnstile: Revolutionizing bot prevention, Turnstile simplifies verification to a checkbox click, conducting background checks that blend user-friendliness with robust security.
Arkose Labs: Offering more engaging formats for human verification, Arkose Labs focuses on creative challenges that are fun yet secure, balancing user experience with bot deterrence.
hCAPTCHA: A privacy-centric option, hCAPTCHA maintains the conventional approach of CAPTCHAs while emphasizing data privacy, a response to concerns raised by Google’s reCAPTCHA. friendlyCAPTCHA: Prioritizing GDPR compliance and privacy,
friendlyCAPTCHA offers background checks for suspicious activities, aligning with European data protection standards. Read more details about each alternative in the original blog post.

Passkeys as the new CAPTCHA?

Unlike traditional passwords or CAPTCHAs, a passkey is a unique digital representation of a user, which can assert their presence and confirm specific hardware specifications. This could promise a smoother user experience, similar to Google’s “Google One Tap” service, which allows effortless account creation or logins with just a click.

However, the current security and technical feasibility of passkeys doesn’t yet meet the theoretical opportunity at 100%. Find out the technical details and whether passkeys could replace CAPTCHA in the original blog post by Corbado:
CAPTCHA vs. Passkeys: Everyone hates CAPTCHA

Enterprise Passkeys: How are Apple, Google, and Microsoft performing?

corbado — Thu, 09 Nov 2023 15:30:17 +0000

The shift to passwordless authentication is accelerating with enterprises searching for secure and seamless passkey integrations.
Read below about how Apple, Google, and Microsoft cater to these enterprise needs.

Enterprise Requirements for Passkeys

For consumers, passkeys have undeniable advantages regarding security and user experience. In contrast, Enterprises have specific requirements for passkeys and device management to limit and secure the access to their sensitive data. These requirements are:

Syncing passkeys between different devices
Recovering passkeys from lost devices
Prevention of unauthorized passkey transfers
Centralized management of passkeys and user accounts

This poses the question: Who is meeting these requirements the best with their enterprise passkey integrations?

Apple’s strong device management

With managed Apple IDs in iOS 17 and macOS Sonoma, Apple excels at passkey implementation in their enterprise solution, providing robust synchronization, recovery options, and strict administrative controls for passkeys.
Passkeys get synchronized via Apple Keychain while giving administrators settings to control which devices can create and access those passkeys.
Here Apple makes the distinction between three Device Types:

Any Device (default): Employees can sign in with their managed Apple IDs on any device, syncing the passkeys to devices outside the company.
Managed Devices Only: This restricts synchronization to company-managed personal devices, catering to bring-your-own-device (BYOD) workplaces.
Supervised Devices Only: This highest security setting limits passkey synchronization strictly to company-owned and -supervised devices.

Google’s Push in Passkey Adoption

In the consumer space, Google has done a great job of pushing passkey adoption for users.
Regarding enterprises they have enabled passkey integration in Google Workspace, allowing admins to enable sign-ins via passkeys. They also get synchronized between devices through Google’s own Password Manager, however its enterprise device management remains less developed compared to Apple’s offerings. For example as of now, administrators can’t limit which devices the passkeys get synced to.

Android Enterprise also leverages Google’s Password Manager but lacks in similar ways to Google Workspace by not providing admins enough customizations.

Microsoft’s Surprising Silence

Although Microsoft is very prominent in enterprise solutions, their implementation of passkeys is still being waited on. Regarding consumers, Microsoft did a good job of implementing passkeys via their service Windows Hello, but lags behind in the enterprise realm due to missing synchronization and device management. There were some announcements regarding future passkey implementation in the user management service Azure AD which could bring Microsoft back on track.
We’ll wait with high anticipation!

For more comprehensive insights aswell as a breakdown on which tech giant is leading the race of enterprise passkeys, dive into the full article here.

The Future of Passkeys: A Deep Dive into Dashlane's Innovative Approach

corbado — Wed, 26 Jul 2023 14:16:40 +0000

Introduction

In an era where data security has become paramount, password manager app Dashlane has made a pioneering stride towards a password-free future. They have implemented the Fast Identity Online (FIDO) passkey standard into their live services, a transformative decision that will likely reshape our digital interactions and revolutionize the landscape of online authentication.

Decoding the Passkey Standard

Dashlane's incorporation of the passkey standard reflects a significant shift in how users can access their digital platforms. It provides a promising glimpse into the future, where a world without passwords is not just a theoretical concept, but a practicable reality.

The Dashlane Makeover: Interface and User Experience

The decision to integrate passkeys into Dashlane's system brought with it an array of challenges, primarily due to the need for a fresh user interface (UI). This new UI needed to accommodate a fundamentally different type of user interaction, replacing the standard password inputs with the passkeys.

Dashlane rose to the occasion, innovating their interface to create an experience that is both intuitive and user-friendly. This update maintains the security and reliability users have come to expect from Dashlane while simplifying the authentication process.

Challenges and Triumphs of the Passkey Integration

Moving away from traditional passwords and introducing a new form of authentication is an ambitious task. Dashlane had to deal with an array of challenges, from user acceptance to the technical intricacies of the passkey protocol. However, their commitment to creating a seamless, secure experience for their users enabled them to tackle these issues head-on, successfully integrating the passkeys into their platform.

Significance and Implications for the Future

Dashlane's shift from passwords to passkeys isn't confined to the realm of a single app. It signals a broader shift in the world of online authentication. The bold move by Dashlane has set a precedent for other organizations, indicating that a password-free future is not only desirable but viable and imminent.

The Journey to a Passwordless World

The integration of passkeys by Dashlane is more than just a technological update. It represents a paradigm shift in the way we perceive and implement digital security. It underscores Dashlane's commitment to remaining at the forefront of the digital landscape, setting new standards for user experience, and making significant strides towards a passwordless world.

Conclusion

Dashlane's successful integration of the passkey standard signifies a momentous leap towards the future of digital authentication. As we move forward, the lessons learned from this integration will serve as a guidepost for other companies aiming to adopt similar passwordless solutions.

To explore more about Dashlane's journey and the intricate process of integrating the passkey standard, delve into our in-depth analysis.

Testing Multi-Device Passkey Logins with ngrok

corbado — Tue, 18 Jul 2023 09:40:13 +0000

Testing a web app on as many devices as possible is crucial, because sometimes bugs only occur e.g. on mobile phones or depend on other device specifications. Though, accessing the local instance running e.g. on your laptop from your mobile phone via your local network can be tricky, especially if certain security measurements like TLS/SSL must be in place.

You can solve this issue by using the reverse proxy service ngrok. This tutorial explains the process in 3 steps:

1. Setup ngrok

2. Configure your Corbado project

3. Set up and run the application

4. Troubleshooting

5. Conclusion

‍

1. Setup ngrok

First,we need to install ngrok from their download page and create an account. Ngrok requires us to provide an authtoken in orderto run. We can retrieve our token by visiting our dashboard.

Wethen add this token into our local ngrok config by executing "ngrok configadd-authtoken ".

Now Ngrok should be ready to run. By executing "ngrok http " we can start the service. Our application will run on localhost with port 19915, so we'll execute "ngrok http 19915". This will give you a personalized URL under which our local instance will be available, e.g. https://0b5a-212-204-96-162.ngrok-free.app.

2. Configure your Corbado project

Now, we need to set up a sample application with Corbado. In case this is your first time using Corbado, you can follow the steps in the Getting started page in our docs to create an account in the developer panel.

Under authorized origins inside the developer panel, add your personal ngrok URL you received in step 1 with HTTPS as protocol; e.g. https://0b5a-212-204-96-162.ngrok-free.app.

Additionally, in the URL settings make sure to set the RPID to the domain of your ngork url (e.g. 0b5a-212-204-96-162.ngrok-free.app if your ngrok URL is https://0b5a-212-204-96-162.ngrok-free.app)

3. Set up and run the application

On the examples page in the Corbado developer panel, we can download any of the examples which are preconfigured for our project. Use the programming language, you like best. After downloading and extracting the zipped folder, example projects can be run by simply executing"docker compose up".

If you visit "http://localhost:19915/login" you should see the sample applicationwith Corbado web component. Check the Troubleshooting section if something is off.

As a last step, we visit our ngrok URL from step 1. Just as in the last step, the same website with the Corbado web component should appear.

Done! We can now use any device which has access to the internet to test our application by visiting our ngrok URL. Also, HTTPS is enabled which is requiredf or WebAuthn.

Here, we visited our page with an iPhone using LTE (You don't need to be in a specific network, just having an internet connection is sufficient).

‍

4. Troubleshooting

If you visit your ngrok URL and "Bad request" is displayed on the web component, you likely forgot to add your ngrok to authorized origins in the developer panel.

5. Conclusion

In very few steps, we ran a web application, which supports passkeys and made our local instance publicly available with the help of ngrok. We can now test our application on any device that has an internet connection.

Microsoft 365 passkeys – Analysis of sign-ups and logins with passkeys

corbado — Thu, 06 Jul 2023 09:52:41 +0000

This is part 4/X of our ongoing analysis of passkey implementations. We already analyzed several password managers, KAYAKs passkey flow and Apple's iOS 17

Introduction

More and more companies from a wide range of industries are stepping into a password-free world and implement passkeys. Through this series of articles, we aim to provide a comprehensive overview of the passkey user experience of those companies. This should enable you to incorporate these findings and enhance your product login accordingly. In each article, we focus on a single company. Today, we dive into Microsoft 365. Passkeys became available for Microsoft 365 accounts in Q2 2023, although they are not called passkeys. The rollout of Microsoft 365 passkeys could pose a counterweight to the currently heavy used two factor authentication via native app ("Microsoft Authenticator").

Disclaimer:
‍1) Status of the analysisis June 2023. Passkey features are subject to change by companies on an ongoing basis.
2) Note, that we tested the passkeys offered by Microsoft 365 for its online service / website and app. This analysis specifically does not include the way Microsoft synchronizes passkeys as a platform provider
3) Please refer to the use cases to find the devices we used for the analysis.

‍

Key insights from Microsoft 365 analysis

In this section, we present the most important insights we have gainedfrom the analysis of Microsoft 365 passkeys.

Highlights of Microsoft 365 passkeys implementation

1. Setup and integration with high security focus:

Microsoft 365's passkey implementation places paramount importance on security right fromthe setup phase. To ensure the highest level of protection, users are required to employ two-factor authentication (2FA) using the "Microsoft Authenticator" app. By integrating 2FA, Microsoft 365 provides an additional layer of defense against unauthorized access attempts. This robust security measure significantly mitigates the risk of credential theft or unauthorized logins, thereby fortifying the overall security posture of organizations using Microsoft 365.

2. Single advocacy for passwordless access:

One strength of Microsoft 365's passkey implementation lies in its advocacy for passwordless access, even though need to ou proactively search for it. Through intuitive user interfaces and informative prompts, Microsoft then even encourages users to embrace the passwordless sign in process. With a pop-up window displaying the empowering message, "Break free from your passwords," users are motivated to explore the benefits and convenience of a passwordless future leading to enhanced security and a frictionless authentication experience.

3. Option to completely remove passwords:

In a bold move that demonstrates their commitment to a passwordless future, Microsoft 365 offers users the option to eliminate passwords entirely. This feature enables organizations to embrace passkeys as the sole means of authentication, eliminating the vulnerabilities associated withpassword-based systems. By removing passwords from the equation, organizations can significantly reduce the risk of password-related attacks, such as phishing, credential stuffing, and brute-force attacks. Microsoft's commitment to promoting this passwordless approach not only showcases their dedication to security but also sets the stage for a more seamless and user-friendly authentication experience.

4. Seamless Integration with "Windows Hello" Technology:

Microsoft 365's passkey implementation seamlessly integrates with the trusted"Windows Hello" technology, creating a familiar and comfortable authentication experience. "Windows Hello" is a widely recognized biometric authentication feature in Windows, allowing users to log in using facial recognition, fingerprint scanning, or PINs. By leveraging this technology, Microsoft 365 enables users to set up their passkeys using existing biometric data, fostering convenience and trust.

The integration with "Windows Hello" also offers a seamless transition for users already familiar with this biometric authentication solution. By utilizing familiar biometric data, such as facial recognition or fingerprints, users can authenticate swiftly and confidently, eliminating the need for complex passwords.

Drawbacks of the current Microsoft 365 passkeys implementation

1. No Cross-Platform Passkeys:

The most notable drawback of Microsoft 365's passkey implementation is the absence of support for cross-platform passkeys. Unlike other solutions, they are neither synced, nor can they be created on other devices (not even single-device passkeys on, e.g. a MacBook using Safari or Android smartphone). However, on a MacBook using Chrome, the passkey creation works, as shown in our analysis. But this limitation can be frustrating for users who work across different operating systems, as it restricts the seamless use of passkeys across all their devices. Typical example would be not being able to sync passkeys between your private iPhone and your laptop. The lack of cross-platform compatibility stands out as an uncommon limitation in an increasingly interconnected digital landscape.

2. Lack of Proactive Offer and Cumbersome Passkey Setup:

Another drawback is the absence of proactive encouragement for users to try out passkeys on sign up. Afterwards the process of creating a passkey within Microsoft 365 can be cumbersome, requiring up to seven clicks after a regular login. If users haven't set up Microsoft Authenticator, the number of clicks increases even further. Despite exploring additional sign in methods, users still need tonavigate through multiple options by clicking "Show more options" to utilize the convenient "Windows Hello" feature. This lack of streamlined and intuitive passkey setup may deter some users from embracing this authentication method fully.

3. Insufficient Explanation of Passkey Technology to Users:

Microsoft 365's passkey implementation lacks explicit explanation or documentation regarding the term "passkey" and its underlying technology. Users are not directly informed about the specifics and benefits ofthe passkey authentication method. This absence of clear communication may lead to confusion or apprehension among users who are unfamiliar with the term "passkey". Providing comprehensive and user-friendly documentation already during the sign in process would empower users to make informed decisions and understand the advantages of this authentication method.

Analysis of the login process

To make the analysis of Microsoft 365 passkeys as comprehensive as possible, we tested the login process with several device-browser-combinations. We have recorded the outcomes in the following use cases. To better understand the use cases, please read through the conceptual definitions of passkeys below before jumping into the use cases.

Conceptual definitions of passkeys

Single-device passkey vs. multi-device passkey: Passkeys come in two distinct types whichare single-device and multi-device credentials. Single-device passkeys are tied to a specific device, meaning that the passkey can only be used on the device it was generated on. Multi-device passkeys are the "true" passkeys that can be synced and transferred between devices. This means that users can use any of their devices that support passkeys to authenticate, regardless of whether the credential was created on that specific device. This greatly enhances the usability of passkeys, as users don't need to enrol each device. However, our analysis found that Microsoft 365 provides single-device passkeys only.

Tested cases

Note that we have only performed the use cases with passkey-ready devices (e.g., no iPhone prior toiOS 16.0, no MacBook prior to macOS Ventura, no Android prior to Android 9, no Windows device prior to Windows 10). Inaddition, we tested the passkey login with an iPhone only in the Microsoft 365 app because the login process in different browsers does not differ regardless of the platform and device. However, we noted that no other platform than Windows 11 allows us to create or use passkeys. Hence, we only tested use cases 1-3 for now. Find out the detailed flow of every listed use case, click on the respective linked use case in the table below:

	Windows 11 (Build 22621.1848)	MacBook (macOS Ventura 13.3.1)
Multi-device passkey	n/a	n/a
Single-device passkey	Use case 1: Sign up process (Chrome) Use case 2: Passkey creation (Chrome) Use case 3: Passkey login (Chrome)	Use case 4: Sign up process (Chrome) Use case 5: Passkey creation (Chrome) Use case 6.1: Passkey login (Safari) Use case 6.2: Passkey login (Chrome)

Conclusion

The introduction of passkeys in Microsoft 365 brings the promise of passwordless authentication. However, the current implementation has limitations and represents a transitional phase. Passkeys are only available on Windows platforms and require tedious setup through the "Security" section in the Microsoft 365 account settings. They are not accessible on native Microsoft 365 apps for Android and Apple devices on its own ecosystem (i.e., Safari, only works with Chrome). Microsoft refers to passkeys as "passwordless" sign in, emphasizing their commitment to moving away from traditional passwords.

While passkeys offer enhanced security and convenience, their availability and usability are still restricted within the Microsoft 365 environment. It is likely that Microsoft 365 will continue to refine and expand passkey functionality in the future, making it more prominent and accessible across devices and platforms. Find out the detailed flow of the passkey implementation here

‍

Unlocking Passkey Potentials: A Glimpse at KAYAK's Innovative Approach

corbado — Tue, 27 Jun 2023 11:31:04 +0000

This is part 3/X of our ongoing analysis of passkey implementations. We already analyzed several password managers and Apple's iOS 17

In an era where cybersecurity is of paramount importance, KAYAK, a renowned travel company, offers valuable insights into how passkeys can revolutionize user authentication.

User centricity
KAYAKs user-centric approach towards passkeys is the cornerstone of their success. The crux of their strategy is based on a concept seemingly simple, yet powerful - making security user-friendly. By allowing customers to create their own memorable passkeys, they elevate user experience while simultaneously strengthening their platform's security. You can delve deeper into their technique here.

Integration
Notably, the seamless integration of passkey authentication within KAYAK's system truly stands out. The smooth, intuitive process is a testament to the platform's dedication to user experience. This enhances customer confidence and engagement, showing that robust security doesn't have to come at the expense of usability.

Transparency
Transparency is another key aspect of KAYAK's strategy. They maintain open channels of communication about their passkey usage and benefits, fostering a sense of trust among their users. This transparency underlines the importance of passkeys as a crucial tool for securing user data, a matter of utmost importance in the current digital age.

Intuitiveness
Finally, it's noteworthy to mention KAYAK's focus on optimizing the user journey for passkey creation and use. From initiation to completion, the process is not only user-friendly, but also engaging, illustrating the beauty of an intuitive design.

Conclusion
KAYAK's implementation of passkeys presents a compelling model of how user-friendly security can be achieved. Their best practices offer valuable insights for any company seeking to leverage passkeys as an effective authentication method. While we've outlined the basics, the complete picture of KAYAK's success story can be found here

Will passkeys kill password managers?

corbado — Tue, 27 Jun 2023 11:29:53 +0000

Will passkeys kill password managers? As we move towards a passwordless future, the role of password managers is being questioned. Let's explore the relationship between password managers and passkeys and how they are shaping the future of digital security.

Technology in transition:

From passwords to passkeys Passwords have been the primary authentication method, but passkeys are now emerging as a revolutionary alternative. How do password managers fit into this paradigm shift? Let's delve into the relationship between password managers and passkeys.

Unpacking the basics:

The difference between password managers and passkeys Password managers are secure digital lockboxes that store and manage your online credentials, while passkeys offer biometric-based authentication. Passkeys provide a seamless user experience and enhanced security.

Tech fusion: Why password managers are integrating passkeys

Despite their differences, many password managers plan to integrate passkeys into their offerings. Passkeys offer improved security, productivity, and a passwordless experience. It's a necessary step for password managers to remain relevant.

A surprising symbiosis: Passkey providers and password managers

Password managers and passkey providers need to work together to ensure a smooth transition. They can create a seamless user experience while maintaining a strong security framework.

Progress snapshot: Password managers' evolution towards passkeys

Leading password managers like LastPass, Bitwarden, Keeper Security, Dashlane, 1Password, and NordPass are adapting to the passkey revolution. They are incorporating passkeys into their products and enhancing their offerings.

The future blueprint:

Password managers in a passwordless landscape Even in a passwordless future, password managers will play a key role. By managing both passwords and passkeys, they bridge the past and the future of online authentication methods. They enhance the user experience and increase security.

To learn more about the future of digital security and the relationship between password managers and passkeys, read the full article on our website: https://www.corbado.com/blog/will-passkeys-kill-password-manager

iOS 17: Apple goes all-in with passkeys

corbado — Thu, 22 Jun 2023 13:41:09 +0000

In its latest iOS 17 update, Apple has introduced groundbreaking features for passkeys, specifically designed to meet the demands of enterprise environments. These remarkable advancements not only bolster security measures but also provide users with a seamless and intuitive login experience. By setting a new standard for passkey authentication, Apple has raised the bar and placed pressure on competitors like Microsoft to keep pace with the latest developments.

Managed Apple IDs with iCloud Keychain: Organizations can now provide passkeys while maintaining control over account management using managed Apple IDs, ensuring secure storage in iCloud Keychain.
Controlled Passkey Sync: Administrators can manage passkey synchronization, ensuring that passkeys are synced only with approved devices in the managed environment and preventing access from private devices or personal iCloud accounts.
Passkey Creation on Managed Devices: Through declarative device management,passkey creation can be enforced on specific devices using access management controls, providing cryptographic attestation for origin verification.
Passkey API for Password Managers: The Authentication Services API allows third-party password managers to create and use passkeys in native apps, offering cross-platform compatibility and broader accessibility.

Apple's latest passkey updates have ushered in a win-win scenario, enabling enterprises to enhance security while delivering a streamlined user experience. Notably, Google has also enabled passkeys in its Google Workspace accounts, amplifying the momentum for passkey adoption in the enterprise realm. These developments put Microsoft, the current leader in the enterprise environment, under pressure to stay at the forefront of passkey technology.

Find out more on: https://www.corbado.com/blog/apple-goes-all-in-with-passkeys