Why Big Tech Won’t Replace Passkey Aggregators

Update June 22, 2023:

At the recent WWDC23 , Apple introduced new features for passkeys that also affect passkey aggregators: The iOS 17 update introduces the new Authentication Services API , empowering third-party "passkey providers" such as passkey aggregators / password managers to generate and utilize passkeys within any native app or across platforms / devices seamlessly. This liberates enterprises from relying solely on the Apple iCloud Keychain for passkey synchronization and management. Consequently, as we already speculated in March, passkeys can now be used outside the Apple ecosystem, eliminating a significant barrier for cross- device and cross-platform scenarios.

Read more about the new passkey features in iOS 17 in our new blog article .

With the digitalization wave gaining momentum, secure authentication and authorization methods have become a top priority. Passkeys, owing to their convenience and security, have earned widespread popularity in this context. United under the FIDO alliance, big tech such as Apple, Google, and Microsoft, have pushed passkeys onto the market to reduce reliance on passwords and improve online authentication.

To facilitate the integration of passkey logins into software across different platforms, passkey aggregators have emerged as a critical player in the market. They offer cross-platform solutions to enable the adoption of passkeys via web components, software development kits (SDKs), and APIs without focusing on specific ecosystems, like Android, iOS / macOS or Windows.

However, with Apple, Google, and Microsoft actively promoting passkeys and backed with their immense financial, human and technical resources, it raises the question of whether passkey aggregators will become redundant. Will these tech giants soon replace the need for passkey aggregators with their own in- house solutions that can be integrated into websites and apps?

Aggregators have proven to be an important role in tech world

The concept of large technology companies pushing innovation while smaller players provide the necessary infrastructure and implement solutions for SaaS and e-commerce is not new. This has been a common practice in the tech industry for years and has proven to be a successful strategy.

Take Stripe, for example. This payment aggregator has integrated with various payment companies such as Visa, Mastercard and American Express to provide businesses with a streamlined payment process. By acting as a mediator between these payment companies and businesses, Stripe allows for simplified payment processing and improved efficiency benefiting both the businesses and their end users.

Similarly and a bit closer related to passkeys, big tech companies like Google, Facebook and Twitter introduced social logins, but among others it was authentication providers like Auth0 that took care of the integration into websites and apps. This division of labor allowed for successful adoption of the technology - and Auth0 even achieved unicorn valuation as a result.

However, there are some differences between these examples and the passkey market. While large tech companies could in fact simply offer software for passkey implementation in websites and apps themselves relatively easily, there are still several reasons why passkey aggregators have an edge over Apple, Google and Microsoft passkey-wise.

1. Passkeys cannot be easily transferred across platforms

Firstly, it's common for users to use different devices and platforms. This has created a need for a unified passkey solution that can seamlessly work across multiple platforms, managing the co-existence of data. Take the example of a user who has an Apple iPhone and a Windows laptop. To ensure a seamless experience across platforms, the passkey provider of choice needs to act as a homogenous interface between these platforms (Apple and Windows).

Big tech on their own, however, will never merge their user base and data with each other for strategic reasons, making it impossible that they will offer a unified passkey solution across platforms any time soon. Filling the gap and providing a much-needed service to users, this is where passkey aggregators come in.

2. Data privacy remains problematic with big tech

Secondly, there are privacy concerns when it comes to using passkey solutions provided by big tech. Logging in via big tech social login will inevitably lead to them monitoring users service usage. But besides moral considerations, in terms of data privacy, there's a pragmatic point to consider as well. If the big tech accounts that users use to log into other services are breached, it can immediately affect those other services. The massive data breach that Facebook disclosed in September 2018 is a prime example of this, as it impacted at least 50 million users and additionally exposed all of those services these users logged into using their Facebook social login. As a result, companies often prefer to keep user data in-house, particularly European ones that must comply with additional regulatory demands imposed by GDPR (for more on this, check out article about GDPR compliance of US providers). In contrast, (EU-)passkey aggregators provide a secure solution for data protection and ensure user data remains confidential thanks to their independent nature

3. Simpler passkey integration

Thirdly, passkey aggregators have a close relationship with their client companies and focus solely on passkeys, allowing them to offer passkey- specific and integrated solutions tailored to meet the specific needs of each client. Passkey logins can be easily integrated into existing workflows, offering the flexibility to adapt branding to a company's unique identity. In contrast, the big tech solutions by Microsoft, Google, and Apple that are already available mainly provide high-level guidelines only for the specific platform. This leaves businesses to either invest additionally in adding their own unique workflows or settling for just those bare-minimum solutions provided by big tech, which will compromise brand identity and website/app login flows in edge cases (which is where the complexity actually lies).

4. Past has shown the need for alternatives to big tech logins

Finally, it's worth considering the undeniable truth of past experiences. With social logins, big tech struggled to gain widespread adoption of their in- house login-improvement solutions before, despite dedicated attempts. While surely many websites and apps have integrated these technologies, almost every one of these still offers the traditional email and password login. This suggests that big tech's login solutions are not sufficient in practice. This leaves a significant portion of the market open for passkey aggregators, who offer secure, customized, and unified solutions for those seeking a better way to manage their login credentials.

As passkeys become more relevant, there will be greater need for passkey aggregators

In conclusion, while big tech companies would have the resources to build comprehensive server-side passkey solutions themselves, passkey aggregators play an important role in the market. They provide a unified solution that works across multiple platforms, while ensuring user privacy and data protection. Corbado, as a leading passkey aggregator, offers an easy-to-adopt, fully GDPR-compliant solution in this field, making its value offering unlikely to be threatened by big tech.

Reach out to us to learn more about the unique advantages Corbado's solution can provide!