Business & MarketsCompanies

175 Million Amazon Customers Are Using Passkeys to Access Accounts

Passkeys are more secure than passwords, the company said.
Save
175 Million Amazon Customers Are Using Passkeys to Access Accounts
Amazon employees load packages on carts before being put on to trucks for distribution, at an Amazon's DAX7 delivery station in South Gate, Calif., on July 16, 2024. Richard Vogel/AP Photo
Naveen Athrappully
Updated:
0:00

E-commerce giant Amazon says millions of customers are using passkeys to log into their Amazon accounts, giving these users “the convenience of passwordless sign-in.”

Passkeys allow users to sign into apps and websites like they do on mobile phones—using a face scan, fingerprint, or lock-screen PIN. Amazon rolled out passkey support on browsers and mobile apps last year.

“Today, we’re excited to share that more than 175 million customers have enabled passkeys on their Amazon accounts, allowing them to sign in six times faster than they could otherwise,” the company said in an Oct. 15 news release. “Adoption keeps growing every day.”
Passkeys are cryptographic keys made up of two parts: a private key stored with the user’s own device such as a smartphone and a public key held with the service provider they wish to access.
When a user creates an account using passkeys with any online service, their device automatically creates a pair of private-public keys. If the user wishes to access the account, the service provider will send a challenge to the device, which the private key will solve and send back, thereby authenticating the user.

“When a customer uses a passkey on their device, it proves they have their device and are able to unlock it. Customers no longer need to worry about remembering unique passwords or using easy-to-guess identifiers, like names or birthdays,” Amazon states.

Related Stories
Beware of Scams During Amazon’s Prime Big Deal Days Sales Event: Cybersecurity Firm
10/8/2024
Beware of Scams During Amazon’s Prime Big Deal Days Sales Event: Cybersecurity Firm
Judge Allows Amazon Antitrust Case to Proceed, Throws Out Few State Claims
10/8/2024
Judge Allows Amazon Antitrust Case to Proceed, Throws Out Few State Claims

Passkeys cannot be written down or guessed, ensuring they cannot be accidentally shared with a bad actor, the company noted. Amazon says passkeys are less susceptible to phishing attacks than passwords or one-time codes sent through text messages.

This makes passkeys “a more secure option for our customers,” the e-commerce company said.

While passkeys offer more security, it does not mean a user who makes use of this login technique will be completely safe from attackers.

According to a post by Netherlands-based IT company Computest Security, there are tactics that third parties can use to bypass passkeys.
For instance, a hacker can deceive a user into visiting a replica of a website they use and dupe them into logging in with a passkey. The attacker can then use this login attempt to access the original website, the company said.

Implementing Passkeys

The passkey standards have been developed by the FIDO Alliance, a tech firm consortium that includes Apple, Amazon, Microsoft, Intel, Google, and Meta. Like Amazon, several companies have already rolled out passkey options for their users, including Google, WhatsApp, Shopify, Apple, Paypal, Uber, and eBay.

A complaint about passkeys has been that there is no standard protocol that allows users to transfer passkeys across password managers.

On Oct. 14, the FIDO Alliance published draft specifications for a “secure credential exchange” aimed at resolving this issue. Once standardized and implemented, the exchange will “enable users to securely move passkeys and all other credentials across providers,” the group said in an Oct. 14 press release.

FIDO said that more than 12 billion online accounts today use passkeys. The technology has made sign-ins up to 75 percent faster and reduced phishing, it said.

The alliance also launched a web resource called Passkey Central on Monday whereby service providers can learn more about implementing the technology.

FIDO Alliance CEO Andrew Shakier said the new web resource will accelerate the use of passkeys by providing website and app owners with “independent and authoritative guidance” on how to implement the technology.

Passkeys face significant challenges when it comes to widespread adoption. Because passkeys require devices such as smartphones to authenticate, individuals who do not have these devices will not be able to use the new sign-in method.

For instance, data from Statista shows that only 69 percent of people worldwide had access to smartphones in 2023.
Since passkeys require a user’s device for authentication, there are concerns about whether losing the device would allow third parties to access the user’s accounts. According to a Google post, this is not possible, because the device is only a part of the authentication process.

“If someone gets your device, they can’t do anything with your passkey. And if you lose your old device containing your passkey, you can easily create a new passkey on your new device,” Google said.

Naveen Athrappully
Naveen Athrappully
Author
Naveen Athrappully is a news reporter covering business and world events at The Epoch Times.