Amazon Quietly Wades Into the Passkey Waters

The move by the e-commerce kahuna to offer advanced authentication to its 300+ million users has the potential to move the needle on the technology's adoption, security experts say.

Abstract light reflection with digital fingerprint
Source: Skorzewiak via Alamy Stock Photo

Amazon has silently rolled out passkeys for shoppers and streamers, following other tech giants like Google and Microsoft into the next-gen cloud authentication fray.

The concept of passkeys is familiar to most users, thanks to FaceID and TouchID for Apple devices, digital fingerprint scanners on laptops, screen-lock PINs, and other forms of passwordless unlocking mechanisms for hardware devices. In recent months, that same concept has made its way to cloud services, websites, and apps, with everyone from Uber to OnlyFans allowing users to sign into their cloud-based accounts using the same device-based technology. Enterprises are also eyeing passkeys for internal use.

Corbado co-founder Vincent Delitz first noticed and publicized the addition for Amazon users, noting that, "given Amazon's vast user base, this rollout is set to familiarize a large segment of non-tech-savvy users with the benefits of passkeys. The ease of use might convince these users to demand passkeys from other online platforms as well."

However, he did flag a few glitches with Amazon's passkey implementation, including the odd choice not to include passkey support for Amazon native mobile apps (that goes for the e-commerce app as well as Prime Video); the need to configure separate passkeys for each country or top-level domain; not including passkey autofill; device management challenges; and other quibbles. Amazon did not immediately return a request for comment from Dark Reading on the matter.

Still, the rollout — along with Google's announcement last week that it will make passkeys its default sign-in mechanism — greatly amplifies the drumbeat, for once and for all, to move beyond passwords and even basic forms of two-factor authentication, such as SMS-based, one-time codes. Eduardo Azanza, CEO at Veridas, sees nothing but security upside in the development.

"Biometrics are tied to a user's physical characteristics and therefore cannot be compromised as easily by cybercriminals. And, security teams are able to quickly detect instances of fraud, identity theft and spoofing," he said in emailed comments. "The roll-out of passkeys by Amazon is a strong message that the big tech firms know that it is time to end the password."

He added, "[We are] shifting the paradigm away from the presumption of 'what we know' or 'what we have,' which is how passwords have worked so far, to 'who we are': people with unique qualities that cannot be duplicated."

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights