If you’ve ever dreamed of creating a more secure and phishing-resistant sign-in experience, we have good news.
“There is a high chance that in a few years, Apple’s release of passkeys as part of iOS 16 will be remembered as the beginning of a revolutionary change in how companies implement sign-in for their products,” wrote Matthias Keller, Kayak’s chief scientist and SVP of technology, in a 2022 op-ed piece on the subject.
Passkeys offer a faster, easier, and more secure sign-in experience for your apps and websites. They’re strong, resistant to phishing, and designed to work across Apple devices, as well as nearby non-Apple devices. And because they’re integrated with Touch ID and Face ID, people can use passkeys like they would any other sign-in system or routine.
A passkey is a cryptographic entity used in place of a password that’s made up of two keys: one public, one private. The public key is registered with an app or website and kept on a web server, while the private key is stored on devices. When someone attempts to sign in, the app or website creates a challenge. The private key signs the challenge to create a signature and the public key is used to verify that signature without revealing what the private key is.
While there’s a lot going on behind the scenes, most people won’t know — or need to think about — any of it. With passkeys, there’s nothing to create, guard, or remember. Plus, the private key is stored in iCloud Keychain and is end-to-end encrypted for another layer of security.
Kayak: “You just initiate the process”
Kayak’s Keller isn’t just a longtime digital security evangelist with years of history in the field. He’s also a dad — and that poses its own host of security challenges.
“Between activities and school, I’m constantly creating accounts and passwords, all of which have a variety of stipulations,” Keller says. “Some can’t be longer than 16 characters, some require special symbols, and others won’t even recognize an exclamation point. And I know from experience that companies face similar challenges when it comes to protecting passwords.”
Keller has been involved with Kayak’s various login approaches throughout his 10 years with the company. Prior to passkeys, the app relied largely on “magic links” sent via email. “But it was getting more and more complex to ensure the security of magic links, especially when supporting logins across devices,” Keller says.
When Keller first heard about passkeys, he knew they were right for Kayak. “The moment it clicked for me was when I saw the first prototype and how easy it was to use,” he says. Kayak was one of the very first to support passkeys, releasing their update at the same time as the feature’s public release in September 2022.
The Kayak team was able to adopt passkeys so quickly in part because of the underlying framework and documentation supporting the feature. “Working on the server is my day-to-day, but I’m not afraid of doing a little bit of Swift, too,” he says. “Luckily, integrating passkeys was light on the UI side. We only had to initiate the experience provided by Apple.”
Feedback was overwhelmingly positive. In the feature’s first three weeks of availability, thousands of people created passkeys on Kayak. Almost 20 percent of those were existing users who manually opted into the new technology.
“The world before passkeys was broken,” he says. “You have all these obscure password rules, as well as expiration and compliance issues — and it can be extremely expensive to offer authentication because you have to buy security products or hire someone to run it for you.” Keller’s work at Kayak is part of a larger drive to get more companies around the world to support this new open standard — one that protects its developers as much as its customers. “You no longer need to protect millions of passwords. Now we only store public keys, which are pretty useless to hackers.”
For Keller, passkeys are now a crucial part of Kayak’s security strategy. “We’ve got a long journey until the last password is gone, but it’s exciting to see where we’re headed,” he says.
Instacart: “It seemed like a perfect match”
Instacart senior mobile engineer Josh Schroeder was on paternity leave when passkeys were introduced at WWDC22, but he made a note to dig into the idea upon his return. “Between the reduced friction and improved security, it seemed like a perfect match,” he says.
The Instacart team signed off on the idea quickly, encouraged by the opportunity to reduce sign-in friction. “That was the biggest selling point for me,” says Brandon Lawrence, Instacart’s senior software engineer. “Well, that and not having to remember another password.”
For Instacart, there was a second benefit as well: the opportunity to pare down duplicate accounts. “When they don’t remember their password, a lot of people just create another account,” says Schroeder. Passkeys avoid that unnecessary (and annoying) duplication. Because devices keep track of passkeys, there’s nothing to remember.
The early implementation process made Lawrence — who spent part of his pre-tech career as a meteorologist in the Marines — feel like something of a passkeys pioneer. “For much of what we build, we can look at the many people who’ve done it before. This time there was a lot more exploration, a little more feeling like we were in uncharted territory. Once we got it into place, it was relatively smooth.”
Today, passkeys are presented as the default sign-in option when creating an Instacart account with an email address (although if someone declines, the app offers the option to create a traditional password). More than half of new Instacart customers who created accounts with an email address have adopted the feature, and plans are underway to gradually convert existing accounts as well. “We believe in passkeys,” says Schroeder, “and we think this will become really common.”
Resources
Passkeys overview
About the security of passkeys
Supporting passkeys
Connecting to a service with passkeys
