Modernizing signer authentication: The case for passkeys

Passkeys are gaining popularity across industries and are being implemented in various technologies, with organizations like Google and Amazon offering the technology to all users.

As passkey popularity grows, one particular emerging use case for passkey implementation is in eSignature solutions, creating an easy and secure way for people to sign important digital agreements.

Though organizations may be comfortable with their existing signer authentication processes and not feel a sense of urgency to adopt this modern approach, it’s important that authentication methods evolve to align with changing user preferences.

Consider, for example, that traditional methods like usernames and passwords emerged in the 1960s with the development of computers. Though many organizations still require manual password input, some are adopting alternative passwordless methods, with 53% of people reportedly enabling passkeys on at least one of their accounts in 2024.

As technology evolves, so must the security to keep sensitive information safe. In this blog, we introduce passkeys as the latest and most advanced passwordless authentication method, including their benefits and why they offer more secure authentication for the digital signing process when compared with traditional authentication methods.

What is a passkey?

The FIDO Alliance defines a passkey as a FIDO authentication credential that enables people to sign in to apps and websites using the same process they use to unlock their devices. For most, this means using biometrics or a PIN.

Passkeys remove the need to enter cumbersome information, such as usernames, passwords, or one time passcodes (OTPs), while still meeting multi-factor authentication (MFA) requirements. They’re phishing resistant and secure by design—inherently helping to reduce cybercriminal attacks—making them a more secure replacement for passwords.

eSignatures are one example of a business process that could significantly benefit from the use of passkeys. Documents that require digital signatures often carry sensitive information (mortgage applications, life insurance applications, account opening agreements, etc.), so having a secure way to access those documents builds trust between businesses and their customers.

Passkeys for the eSignature experience

Passkeys are uniquely positioned as a tool for organizations to securely gather signatures from customers and clients.

While many organizations implement single sign-on (SSO) for employees, they often lack authentication for clients and other external users. This can expose documents to vulnerabilities. For example, if your organization does not secure documents externally and sends one to a client to be signed, it’s impossible to guarantee secure communication; you cannot verify who is receiving the transaction and reading the agreement. The risk is especially high in today’s world where people are constantly targeted by cybercriminals.

At OneSpan, we offer eSignature passkey authentication for signers because passkeys provide stronger assurance that your documents only reach the people they are intended for, and no one else.

Video

OneSpan Sign: Passkeys authentication demo

See how signers use passkeys to confirm their identity in this demo video.

Watch now

Key features and benefits of passkeys

The main features and benefits of passkeys include:

1. 1. Improving the sign-in process across devices: Passkeys offer near-instant, single-step authentication directly on the user’s device. They eliminate manual input, reduce errors, and streamline workflows. They are available offline (after initial setup) and integrate seamlessly with ecosystems. This enables people to login on any of their devices even if it’s not where the passkey was originally created.
2. 2. Eliminating network and delivery failures: Authentication through passkeys minimizes customer support interventions and reduces operational costs, such as staffing, training, and time spent resolving problems—enabling  resource and time savings. Passkeys do not require an extra login step that may never arrive, such as getting an OTP or code through email or text message.
3. 3. Reducing attack surface and exposure to common security attacks: Passkeys use unique cryptographic keys for each account, making them immune to phishing attempts. They rely on device-level security, which is harder for malicious actors to compromise, and operate locally on the user’s device without transmitting sensitive credentials, reducing the attack surface.

Passkey use cases

Passkeys enhance user trust in sensitive transactions, improve user experience and authentication adoption, and ensure security across multiple services.

While anyone can use a passkey, they are ideal for high-value transactions, sensitive contracts, and repeat signers. As such, organizations within the following industries will benefit the most from passkey implementation:

• Financial services
• Government
• Healthcare
• Legal
• Retail

Traditional authentication methods are not as secure as passkeys. If your organization is still using traditional methods, it’s time to consider a change for the benefit of both your organization and your customers.

Shortcomings of traditional authentication methods

Traditional authentication methods involve a user proving they are who they say they are through usernames and passwords, knowledge-based answers (KBA), Q&As, or OTPs via SMS or email.

While these methods have long been a cornerstone of digital security, they have a significant impact on user experience, an organization’s operational efficiency, and overall security.

• Difficult user experience: Whether it's forgetting passwords, failed sign-in attempts, network disruptions, server delays, or interruptions from switching between apps, traditional authentication methods often provide poor user experiences. This may lead to a reluctance to become a repeat customer.
• Operational inefficiencies: As businesses face mounting pressure to streamline their operations under tighter budgets and reduced resources, authentication delivery failures increase support overhead and costs, have an impact on completion times of transactions, and often take unnecessary time to resolve.
• Security vulnerabilities: Traditional authentication methods are frequently targeted by malicious actors and are vulnerable to security risks, such as phishing, credential stuffing, malware, and telecom-based attacks.

The advancement of technology means businesses no longer need to sacrifice security for useability. Instead, they can implement passkeys for authentication to improve user experience and confidentiality, increase sign-in success rates, and provide a smoother and more intuitive experience.

Making the transition to passkeys

Migrating to passkeys can seem like a daunting task, but it’s easier than you think. The following steps can guide you through the process of transitioning your organization’s authentication method to passkeys.

1. 1. Partner with a FIDO-compliant solution provider: Select a trusted provider, like OneSpan, for robust solutions and tailored guidance.
2. 2. Evaluate organizational needs: Assess current authentication methods and identify your organization’s pain points—this may be the percentage of failed authentication attempts, average time it takes a user to gain authentication, frequency of password resets, etc.—to create a clear road map forward.
3. 3. Develop a phased rollout plan: Pilot programs targeting specific use cases or user groups can help refine implementation before broader adoption.

Passkeys provide users with a seamless authentication experience, are more secure than passwords, and are valuable to the digital signing process. Using passkeys to protect digital authentication users, like eSignature signers, enables organizations to better protect customers and themselves.