Google has announced that passkeys are rolling out to all Google Account users in a long-awaited move away from traditional alphanumeric passwords.
“Passkeys are a safer and easier replacement for passwords,” the company writes on its Google Identity blog. “With passkeys, users can sign in to apps and websites with a biometric sensor (such as a fingerprint or facial recognition), PIN, or pattern, freeing them from having to remember and manage passwords.”
With proper implementation, passkeys will improve account security while making authentication processes much easier for real-life users. Instead of remembering passwords or using two-factor authentication, people can simply log into their devices — the authentication is handled through their device.
And Google isn’t the only major company making a commitment to “frictionless" logins: In 2022, Apple and Microsoft joined Google in announcing support for a passwordless future.
Each company will follow specifications from the FIDO (Fast IDentity Online) Alliance, an open industry association. That should ensure that passkeys from one system can be transferred to another system. For example, if you switch from an Android phone to an iPhone, your passkeys can be transferred between devices without much effort.
Every person who owns a computer, smartphone, or tablet could benefit from passkey technology — but for people with disabilities, the potential benefits are especially noteworthy.
Passwords create accessibility issues for many users
Passwords are a type of cognitive function test: They require users to recall information in order to proceed through a process.
That’s problematic for people with cognitive limitations and memory disorders, which include a sizable percentage of older adults. According to the American Psychological Association (APA), an estimated 15-20% of people over age 65 experience mild cognitive impairment.
Passwords can also create challenges for people who use assistive technology (AT) such as screen readers. When password entry forms have improper labels and instructions, AT users may not be able to enter the password correctly on the first attempt — and if the password field has a time limit, some AT users may not be able to log in to the website before the time limit expires.
Passkeys could fix these issues. Instead of entering a password or a two-factor authentication code, the user would simply unlock their mobile phone (or another device that stores the key).
This would also prevent bad actors from stealing personal information. While two-factor authentication is secure, it’s not perfect. Passkeys use a type of cryptography that relies on device-level encryption; without getting too technical, passkeys are strongly resistant to phishing and other types of malicious attacks.
To be truly accessible, passkeys will need to be standardized
Passkeys will be a standardized technology, usable across a variety of devices, web browsers, and operating systems. As such, accessibility needs to be a core consideration during implementation.
Fortunately, FIDO specifications are a joint effort between the FIDO alliance and the World Wide Web Consortium (W3C). The W3C also publishes the Web Content Accessibility Guidelines (WCAG) and other accessibility standards.
To that end, FIDO passkeys are designed with accessibility in mind:
- FIDO credentials are based on public key cryptography, so the user will only need to unlock their phone to complete the login process.
- Phones can be unlocked with different types of inputs. People can use biometrics, PIN (Personal Identification Numbers), or patterns to verify their identities.
- Passwords may still be used to verify user identities in some circumstances (for instance, if you lose or break your phone). But by creating a shared standard, users should be able to transfer their passkeys between different types of devices quite easily.
Overall, the rise of passkeys — and the end of passwords — could make the internet far more accessible for people with disabilities. By implementing the standards through an open set of specifications, Google, Apple, and Microsoft hope to improve internet security while eliminating a major source of user frustration.
Content creators can make authentication processes accessible by following WCAG
As passkey technology becomes a new standard, all users will benefit. However, that process will take time — and currently, many websites have inaccessible authentication procedures.
You can improve your website’s accessibility by providing options for authentication. Instead of relying on passwords, consider alternatives like Open Authorization (OAuth).
Other quick tips for accessible authentication:
- Avoid using visual CAPTCHAs. Learn why CAPTCHAs can create issues for users with disabilities.
- Give users enough time. Make sure people can pause or extend time limits.
- If your website requires passwords, don’t block copy-and-paste functionality on the password field.
- Make sure forms have appropriate labels and instructions.
- Use appropriate markup to allow password managers to fill in fields automatically.
- Give users the option to view their passwords as they type them.
For more guidance, read: How To Make Your Website's Authentication Process Accessible.