Driving Passkey Adoption In New Zealand While Keeping The User Experience Seamless

Thursday, 7 August 2025, 2:01 pm
Press Release: Yubico

By Geoff Schomburgk, Asia Pacific & Japan Vice President for Yubico

At their core, passkeys are built on public-key cryptography. When a user creates a passkey, their device generates a unique key pair: a private key securely stored on the device and a public key shared with the service provider. Since the private key never leaves the device and cannot be entered manually, passkeys inherently resist phishing and credential theft.

Users can authenticate using biometrics (like Face ID or fingerprint), a PIN, or a physical security key, removing the need to remember or manage passwords entirely. This significantly reduces human error and simplifies the login experience.

Reimagining Modern Multi-Factor Authentication

Passkeys offer a seamless form of modern multi-factor authentication (MFA) that doesn’t rely on SMS codes or authenticator apps. But not all passkeys are created equal, and there are two main types to consider for various use cases:

Syncable passkeys - stored in cloud-based password managers or platform-bound keychains (e.g., Apple iCloud, Google Password Manager), allow users to access credentials across multiple devices.

Device-bound passkeys - stored on a physical device like a hardware security key (i.e. a YubiKey), device-bound passkeys offer a much higher level of security by keeping the credential locked to a single, physical object.

While syncable passkeys prioritise convenience to sync passkeys across multiple devices in the cloud, they also introduce new vulnerabilities: if cloud storage is compromised, the keys could be intercepted or misused. Device-bound passkeys, on the other hand, ensure that authentication requires physical possession of the device, raising the bar significantly for attackers.

Why device-bound passkeys?

Adoption friction is often blamed on the novelty of passkeys and users’ resistance to change. Indeed, some users have encountered issues with syncable passkeys, particularly around cross-platform compatibility, device syncing and usability. These poor experiences can turn users off from trying passkeys again.

Device-bound passkeys solve many of these problems. They offer superior protection and operate independently across platforms by delivering fast, secure and consistent logins without relying on potentially fragile cloud syncing mechanisms. By eliminating passwords and the sync-related errors, hardware passkeys reduce friction rather than increase it.

A new path forward: Striking the right balance of security and usability

The security versus convenience debate is real, but it’s no longer a binary choice. Passkeys, especially device-bound options, allow users not to compromise: they offer the ease of passwordless authentication with the assurance of unbreakable cryptographic protection. Device-bound passkeys are becoming more accessible and affordable. Businesses and platforms should take this moment to lead users toward this stronger standard.

To accelerate the adoption of passkeys without compromising user experience, a multi-faceted approach is essential. First, user education must take centre stage. People need to understand not just what passkeys are, but why they matter, how they eliminate the risks of phishing and password-related breaches while simplifying everyday login experiences. Clear communication around the benefits and ease of use is key to overcoming initial scepticism and encouraging behavioural change.

Equally important is promoting device-bound passkeys as the gold standard for secure authentication. While synced passkeys offer convenience, hardware-based alternatives provide unmatched protection by ensuring credentials remain physically tied to the user. Framing this not as a trade-off, but as a balanced and superior solution, will help build user trust and confidence.

On the technical side, developers and platform providers must work to simplify the implementation and integration of passkey support across devices, browsers, and operating systems. Reducing fragmentation and ensuring compatibility will remove friction for users and organisations alike. At the same time, fallback mechanisms should be designed with care, offering alternative access without reverting to weak, legacy methods that undermine the integrity of passwordless systems.

Passkeys, especially device-bound variants, represent a turning point in the evolution of digital security. By aligning usability with robust protection, they have the potential to make secure authentication both practical and pervasive.

© Scoop Media