1. What is a passkey?
The FIDO Alliance defines passkeys as a FIDO authentication credential that enables people to sign in to apps and websites using the same process they use to unlock their devices. For most, this means using biometrics or a PIN.
This removes the need to use cumbersome or unsecure authentication methods such as passwords, KBA, SMS, and email OTP. Secure by design, passkeys relieve the burden on a user to remember information while keeping data safe.
2. Why should my customers use a passkey to access and eSign their documents?
Passkeys are of unique value in comparison to authentication methods such as passwords, email, and SMS OTP used traditionally for eSignature authentication. This is because passkeys can overcome the security vulnerabilities of these methods, establishing a secure communication channel between sender and signer. At OneSpan, we believe passkeys for signers provide the strongest assurance that documents reach only the people for which they are intended.
3. Is it possible to implement passkeys alongside other authentication methods?
Yes, it’s entirely possible to implement multiple authentication methods. For example, you can use SMS one-time passcodes for your less sensitive eSignature use cases. When it comes to use cases that require more security, identity verification is a suitable authentication method. If the signers need to sign regularly, they can use passkeys for signers to keep the user experience high without compromising security.
4. How do passkeys enhance security compared to passwords?
Traditional passwords have multiple shortcomings. They create a difficult user experience, including requiring users to remember a variety of usernames and passwords, leading to failed sign-in attempts, often resets, poor security practices such as reusing or writing down credentials. Users can be tricked into revealing their passwords through deceptive phishing emails or websites.
5. How do passkeys help organizations comply with security regulations?
One of the great values of passkeys is that they don’t require the need to store passwords on servers. This reduces the risk of data breaches as well as the volume of sensitive, private information stored on a network or service. Eliminating the need for password storage and transmitting of credentials, building in phishing resistance, and relying on device-level security can all help organizations better comply with evolving security regulations.
Additionally, each account with a relying party (e.g., a website or service) uses a unique cryptographic key pair, stored securely on the user’s device. This eliminates the risk of a single point of failure or compromise of a centralized database.
Modernizing signer authentication: The case for passkeys
For more information about signer authentication with passkeys, read our blog.
Read now
6. Are passkeys resistant to phishing attacks?
Yes, a primary benefit of passkeys is the reduction of vulnerability to phishing attacks. Because passkeys are only usable on the specific website or service they were created for, bad actors are prevented from tricking people into using their credentials on fake or malicious websites.
7. What devices and platforms support OneSpan passkeys for signers?
See the following chart to find out which devices and platforms support our passkeys.
| Device, operating system, or browser | Supported version |
|---|---|
| Android | V9+ |
| iOS/iPad OS | V16+ |
| macOS | V13+ |
| Chrome OS | Device-bound passkeys are supported (single-device passkeys) |
| Windows | Device-bound passkeys are supported (single-device passkeys) |
| Browsers | Chrome, Safari, Edge (latest stable versions) These browsers all support passkey-based login, meaning that users can authenticate directly through the device that stores the passkey. |
| Hardware | FIDO-certified devices such as OneSpan’s DIGIPASS FX1 BIO |
8. What happens if I lose my device with a stored passkey?
If you have multiple devices and use iCloud keychain or Google password manager, the passkeys will sync across devices via a cloud service. In this case, if you lose one device, you can use another device that has the same passkeys. This is valid only for cloud-synched passkeys.
If device-bound passkeys are used, you will need to re-create passkeys. To do this, you need to go through a successful authentication process (IDV, KBA, Q&A, or SMS) prior creating passkeys.
9. Does OneSpan's passkeys feature integrate with existing security infrastructures?
Yes, passkeys seamlessly integrate across existing infrastructures. Contact a OneSpan support representative with specific questions.
10. How do passkeys prevent credential theft?
With passkeys, users do not need to centrally store their username or password information, which prevents hackers from accessing organizations’ databases. Traditional passwords are susceptible to easy capture and reuse across services or systems; passkeys are not.