Amazon is making the move to passkeys as a safer authentication alternative to passwords, bringing support to browsers and mobile shopping applications and slowly expanding that support to the iOS app, with the Android app on the horizon.

With the support announced this week, the ecommerce and cloud services giant joins the likes of rivals Microsoft and Google and a growing number of other tech companies in adopting passkeys, a key tool for helping businesses move away from less-secure passwords that are vulnerable to phishing attacks and other cyberthreats.

“While passwords will still be around in the foreseeable future, this is an exciting step in the right direction,” Dave Treadwell, senior vice president of ecommerce at Amazon, said in a statement. “We are thrilled to be an early adopter of this new authentication method, helping to realize our vision for a more secure, passwordless internet.”

Individuals can sign in to applications and websites using passkeys via biometric methods – such as fingerprints or face scans – or a lock screen PIN. Passkeys can’t be guessed or brute-forced by bad actors and users – who these days can have 100 or more accounts they need passwords for – don’t have to write a password down somewhere to remember them all.

“When a customer uses a passkey on their device, it proves they have their device and are able to unlock it,” Amazon wrote. “Customers no longer need to worry about remembering unique passwords or using easy-to-guess identifiers, like names or birthdays. … Passkeys are less susceptible to phishing attacks than passwords and one-time codes in text messages, making them a more secure option for our customers.”

Amazon users can enroll for passkeys through their browser or iOS Amazon Shopping app. They can select “Your Account,” choose “Login & Security,” select “Set Up” next to “Passkeys,” and follow the instructions.

The Transition to Passwordless

The FIDO Alliance and growing number of large IT vendors, including Microsoft, Google, and Apple, have for years advocated for technologies that can replace passwords, though it will take some time for a passwordless world to appear.

In a study published last week, FIDO and password manager vendor LastPass found that 89% of IT leaders survey expect passwords to account for less than a quarter of their organizations’ logins within the next five years.

In addition, 92% said they have a plan in place to migrate to passwordless authentication and 95% using passwordless technology somewhere in their organization.

“The move towards passwordless authentication has gained steam over the past few years as an increasing number of organizations have moved to eliminate the risk and liability of passwords as they are the source of the vast majority of data breaches,” Andrew Shikiar, executive director and CMO at FIDO, said in a statement.

Helping to fuel the growing support is the accelerating trend of more business being done online, which is driving hackers to increasingly target credentials as a way to get into and compromise corporate networks. In its annual security report, Verizon last year said that in 2021, 82% of security breaches were due to stolen credentials.

Following in the Footsteps of Others

Amazon’s move comes about the same time that Meta-owned WhatsApp said its users can log in using passkeys and after Google announced that passkeys are now the default sign-in tool for all Google Accounts. Microsoft has long been a proponent of passwordless authentication and last month unveiled support for passkeys in Windows 11.

Other vendors supporting passkeys include Microsoft-owned LinkedIn and GitHub, PayPal, X (formerly Twitter), Uber, 1Password, and TikTok.

Vincent Delitz, co-founder of passkey startup Corbado, noted last week that Amazon was quietly adopting passkey support and outlined the benefits to Amazon users, such as enhanced security, and the ripple effect that having such a large player will have on larger tech industry, including possibly accelerating the move away from passwords and educating a large customer population to how passkeys work.

Some Work Still Needed

However, Delitz also was critical of Amazon’s implementation of the technology, such as a problem with Relying Party ID. The way Amazon set it up, each passkey needs to be registered for one Relying Party ID, so amazon.com and amazon.de each will need its own passkey, he wrote in a blog post.

Also, Amazon didn’t include a Conditional UI capability that allows for a more seamless transition from traditional password authentication to passkeys or native passkey support for either Amazon’s shopping app or for Prime Video.

Delitz also pointed out the “clunky” device detection and management for passkeys and that users with two-factor authentication set up will still have to go through an additional one-time code verification, “which is kind of an unnecessary step as passkeys are 2FA by default.”

“While Amazon’s venture into passkey authentication is a significant milestone, it’s evident that the journey to perfecting this feature is just beginning,” he wrote.