Introducing Passkeys from Pangea

In today's app-centric landscape, security is fundamental. While there isn't a single portion of our life untouched by technology, we're still stuck with the decades-old security practices of passwords.

At Pangea, we're excited to improve our customers' ecosystems with the launch of Passkeys. In this blog post, we'll dive into the details of our launch and explore why they are essential in today's security-conscious world.

What are Passkeys?

Passkeys are an authentication mechanism designed to bolster security while providing a seamless user experience. Unlike traditional passwords, which can be susceptible to various attacks such as phishing or brute force, Passkeys are a cryptographic key pair generated and stored in your device or password manager. This lets you protect your passkey via biometrics or a PIN on your device while the key itself is bound to the username and password of the site.

Why should you use Passkeys?

When you first consider passkeys, it just looks like yet another authentication option like TOTP. While they’re more secure, it’s yet another step during the on-boarding process and authentication flow. When you actually use passkeys, it makes more sense: they improve both usability and security in one step. For some specific reasons:

1. Passkeys help mitigate common attack vectors such as phishing, credential stuffing, and brute force attacks. By eliminating the reliance on static passwords, passkeys significantly reduce the risk of account compromise. If you want to understand the sheer scale of the breached passwords out there, check out our User Intel service.

2. Passkeys offer a user-friendly experience. With options for biometric authentication, one-touch passkeys, and seamless integration with existing systems, users can enjoy enhanced security without sacrificing convenience.

3. Passkeys are easily deployable and adaptable to various use cases and environments. Whether your users are on Macs, Windows, mobile browsers, or their favorite tablet, passkeys are supported by every modern browser, every password manager, and modern mobile devices.

How do I use Passkeys in Pangea?

Using passkeys in Pangea is a two step process. First you turn them on for your users, then they enroll. There’s a little more to it but that’s the core.

Within the Pangea User Console, go to your project’s AuthN configuration and visit your “Single Sign On” settings. Here you can enable passkeys and optionally give your users a fallback method. To be clear, by default passkeys operate as an alternative to your MFA policy, not a replacement.

Note: While you can disable the fallback option, we recommend using it to simplify your customer support for lost devices and similar.

To learn more, check out our guide to activating passkeys.

The next time your users successfully authenticate using our Hosted Login Flow, they will automatically be prompted to create and enroll a passkey. One click and they’re done. The next time they visit your login form, they can click “Sign in with a Passkey” and immediately authenticate in one step. If they’re using a password manager, that passkeys can even be synchronized across devices for the same experience everywhere.

Wait. What about WebAuthn?

You’ve probably heard of WebAuthn (or FIDO2) and how it will solve all your problems so why should you use passkeys instead? That’s a great question.

WebAuthn is a part of the FIDO2 specifications and an open API standard for web apps to use the browser and the underlying device to provide a better, more secure authentication experience. At a practical level, this uses public key infrastructure (PKI) to create and leverage a public/private key pair and then create a challenge/response model between the application and your browser.

While WebAuthn is a standard, Passkeys are the implementation.

What’s next for Pangea AuthN?

In the last month, in addition to Passkey support, we’ve released User Import from a variety of Identity Providers (IDPs) and SAML for SSO for both IDP-init and SP-init flows so now we’re doubling down on integrations to make embedding AuthN into existing apps better, easier, and more secure.

Check out our tutorial on adding passkeys to React.js apps and don't forget to join the Pangea Developer Community to keep up and learn more.