Cookies managing
Cookie Settings
Cookies allow our websites to remember information that changes the way the site behaves or looks, such as your preferred language or the region you are in. Remembering your preferences enables us to personalize and display advertisements and other contents for you.
Passkeys: removing barriers at the entrance
How often have you struggled to remember your password? In digital business, this is the most expensive ‘little thing’: passwords steal conversions, multiply endless resets, overload support, and remain a weak link in security.
The specialists at Emat EOOD explain why passkeys have become the professional standard for login, how architecture and UX are changing, and what risks need to be considered in order to transition to the new authorisation format without disruptions or unnecessary costs.
Resistance to phishing and an alternative to passwords
Passkeys are a modern alternative to passwords. These are special cryptographic keys: one key is stored on the user's device and the other on the server. Login confirmation takes place locally — via biometrics or a device PIN. The main advantage of passkeys is their resistance to phishing: secrets are not transmitted over the network, and the login operation is tied to a specific domain, so a ‘fake’ page will not be able to use your data. In practice, it's simple: Face ID on iPhone, fingerprint scanner on Android, or Windows Hello on PC instead of a password.
The specialists at Emat EOOD explain why passkeys have become the professional standard for login, how architecture and UX are changing, and what risks need to be considered in order to transition to the new authorisation format without disruptions or unnecessary costs.
Resistance to phishing and an alternative to passwords
Passkeys are a modern alternative to passwords. These are special cryptographic keys: one key is stored on the user's device and the other on the server. Login confirmation takes place locally — via biometrics or a device PIN. The main advantage of passkeys is their resistance to phishing: secrets are not transmitted over the network, and the login operation is tied to a specific domain, so a ‘fake’ page will not be able to use your data. In practice, it's simple: Face ID on iPhone, fingerprint scanner on Android, or Windows Hello on PC instead of a password.
What is changing in development
- Account model. Users are no longer ‘equal to their passwords’. One account can have several ways to log in: access keys on different devices, an external hardware key, backup codes. Recovery is separated from authorisation and becomes a predictable process, rather than a chain of ‘secrets via email.’Authentication flows. The ‘login-password-code’ scenario is replaced by login confirmation. The ‘Log in without a password’ button becomes the default option, with the password remaining as a backup option for the transition period. The offer to connect access keys appears at a moment of high motivation — after successful login, purchase, or contact confirmation.
- Data storage and processing. The service stores public keys and minimal metadata, rather than password hashes and their change history. This reduces risks, simplifies compliance with internal security policies, and reduces the attack surface.
- Analytics and observability. New metrics are used for monitoring: the percentage of passwordless logins, the average time to authorisation, incomplete step-by-step attempts, and support requests related to login issues. Without this dashboard, it is difficult to manage the quality of the experience and prove the economic effect.
- Testing and rollout. A matrix of devices and browsers is required, as well as scenarios for working on shared and corporate devices and offline stability testing. Implementation is phased, via feature flags, with the ability to quickly roll back and adjust UX copy.
How to implement without unnecessary risks
When implementing a new access key system, passwords are changed on the client side, WebAuthn Level 3 (client/browser) is enabled, and FIDO2/CTAP2 credentials (authenticator) are created. Everything looks native in the user interface: browsers support Conditional UI, mobile platforms support system APIs (Passkeys/ASAuthorisation in the Apple ecosystem and Credential Manager on Android).
Instead of passwords and their hashes, the server stores: credential ID, public key (COSE format), operation counter, and minimum tags. Each operation is accompanied by a one-time challenge; the origin of the request (origin and RP ID), signature, and user presence/verification (UP/UV) are verified. Support for discoverable (resident) credentials allows for ‘login without a username’ and the removal of unnecessary fields.
When implementing a new access key system, passwords are changed on the client side, WebAuthn Level 3 (client/browser) is enabled, and FIDO2/CTAP2 credentials (authenticator) are created. Everything looks native in the user interface: browsers support Conditional UI, mobile platforms support system APIs (Passkeys/ASAuthorisation in the Apple ecosystem and Credential Manager on Android).
Instead of passwords and their hashes, the server stores: credential ID, public key (COSE format), operation counter, and minimum tags. Each operation is accompanied by a one-time challenge; the origin of the request (origin and RP ID), signature, and user presence/verification (UP/UV) are verified. Support for discoverable (resident) credentials allows for ‘login without a username’ and the removal of unnecessary fields.
The account model becomes multi-valued: one user corresponds to several credentials on different devices, according to experts at Emat EOOD Bulgaria. Adding access keys to the software product under development cannot be considered a ‘premium option,’ so the basic improvement should not affect the price of the final product.
Risks and working solutions
Some users still work on older devices or in corporate browsers. Therefore, the transition is carried out in stages: access keys are enabled by default where the platform is ready, and the usual login methods are retained as a backup. The fear of ‘if I lose my phone, I lose access’ is alleviated by a simple and pre-described recovery process: backup codes and verified channels. In B2B scenarios, policies for acceptable authenticators and verification requirements are added — this is recorded in the settings and documentation.
Economics and effect
After launching software with passkeys, ongoing costs decrease over time: less OTP traffic via SMS and email, fewer similar tickets, fewer ‘I can't log in’ requests. The main result is an increase in the share of users who pass authorisation and complete target actions (purchases, applications, activations). This is a direct improvement in unit economics without changing the price for the customer: access keys are a basic improvement in UX and security, not a ‘premium option’.
If you need a plan to transition to access keys with an assessment of the impact on conversion and support, Emat company will conduct an audit and ensure a safe transition without downtime.
Risks and working solutions
Some users still work on older devices or in corporate browsers. Therefore, the transition is carried out in stages: access keys are enabled by default where the platform is ready, and the usual login methods are retained as a backup. The fear of ‘if I lose my phone, I lose access’ is alleviated by a simple and pre-described recovery process: backup codes and verified channels. In B2B scenarios, policies for acceptable authenticators and verification requirements are added — this is recorded in the settings and documentation.
Economics and effect
After launching software with passkeys, ongoing costs decrease over time: less OTP traffic via SMS and email, fewer similar tickets, fewer ‘I can't log in’ requests. The main result is an increase in the share of users who pass authorisation and complete target actions (purchases, applications, activations). This is a direct improvement in unit economics without changing the price for the customer: access keys are a basic improvement in UX and security, not a ‘premium option’.
If you need a plan to transition to access keys with an assessment of the impact on conversion and support, Emat company will conduct an audit and ensure a safe transition without downtime.
See our other News
Info
Emat EOOD
Bulgaria, Sofia 1404, Stolichna Municipality,
district. Triaditsa, st. Yasna Polyana 110
Bulgaria, Sofia 1404, Stolichna Municipality,
district. Triaditsa, st. Yasna Polyana 110