May the Fourth be with You - Passkey Support now in Beta
Not only is it Star Wars Day, but it is also International Password Day. Expect lots of announcements about passkeys today as the prevailing wisdom is that the best password is no password, and passkeys have emerged as the shiny new replacement.
Despite all the media coverage and promotion by Apple, Google, and Microsoft, passkey adoption is still low. While migrating from usernames and passwords to usernames and passkeys is fairly straightforward, many sites also support social login, and adding passkeys is adding yet another way to log in - and unlike social login where the developer gets profile data - passkeys only provide authentication.
We implemented WebAuthn (the W3C standard for passkeys) a year ago but did not release it as the experience had many sharp edges in corner cases. After several iterations, we are now testing out using passkeys only on mobile devices. Passkeys are not a preferred provider, but a faster way to log into Hellō once you have logged into your device with your preferred provider. Passkeys really shine on mobile devices where a biometric is common, and if you have multiple mobile devices they can be synced across them.
When starting a flow from a social app, or linking a social account on mobile, the browser redirect is often stuck in the social app's in-app browser where your preferred provider no longer has access to its cookies, leading to a frustrating experience as the social provider is starting log in from scratch. Passkeys are available in some in-app browsers allowing for a simple and fast Hellō experience compared to using your preferred provider.
The experience is not quite where we would like to be though as the API does not provide an affordance for us to check if you have a Hellō passkey before calling the API. If we have a cookie - which we won't in an in-app browser we have not been in - we know you have a passkey and can prompt you to use it right away. If we don't have a cookie, you will need to choose to use your Hellō Passkey explicitly if you have created one.
Our enrollment experience prompts you to create a Hellō Passkey after you have logged in with your preferred provider if you are on a mobile device. If you create one, then you can use it on any mobile device it is synced to. Continuing our philosophy of giving you control over your identity, you can decline to create a passkey or ask us to remind you later.
Passkeys are a step function in user security and convenience. We hope you enjoy using them with Hellō, and we also hope the APIs evolve to smooth out the rough edges.