Future-proofing Authentication With Passkeys

Today’s web APIs often require some form of API access management and identity control for their users, and these are usually implemented using protocols like OAuth and OpenID Connect.

Not surprisingly, there are many efforts towards improving the security of OAuth flows, such as replacing bearer-tokens with stronger alternatives (such as with DPoP) or other high-security OAuth extensions (like FAPI, PAR, JAR, JARM, etc.) However, while being fundamental to API security whenever a user is involved, the method by which user authentication is performed is declared out of scope in the OAuth/OIDC specifications.

For this reason we need to separately consider improving the security of the user authentication process itself. Traditionally, this has been done using some form of Multi-Factor Authentication (MFA).

Attacks targeting end-users such as phishing are a huge problem today, but many MFA methods are either not phishing-resistant or have serious usability issues and are therefore only seen within some high-assurance enterprises scenarios.

Passkeys are phishing-resistant by design, can replace both PKI tokens as seen in enterprises and weak consumer MFA methods while also improving usability with a familiar user interface. They can serve both enterprise scenarios using security keys, or consumer scenarios using platform authenticators built-in to mobile and desktop devices.

The underlying FIDO2 open standards are supported today by all major browser and platform vendors. Now is the time for identity and platform providers to start securing user authentication for their services using passkeys.

In this presentation, we’ll dive into what passkeys are, the issues they solve, and how they can replace passwords and less secure forms of MFA like one-time passwords.

Smarter Tech Decisions Using APIs

Smarter Tech Decisions Using APIs

API blog

High impact blog posts and eBooks on API business models, and tech advice

API conferences

Connect with market leading platform creators at our events

API community

Join a helpful community of API practitioners

API Insights Straight to Your Inbox!

Can't make it to the event? Signup to the Nordic APIs newsletter for quality content. High impact blog posts on API business models and tech advice.

Join Our Thriving Community

Become a part of our global community of API practitioners and enthusiasts. Share your insights on the blog, speak at an event or exhibit at our conferences and create new business relationships with decision makers and top influencers responsible for API solutions.