“…there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know.”– Donald Rumsfeld
Former U.S. Secretary of Defense Donald Rumsfeld said these words at a press conference back in 2002. He did not invent the concept, but it has become famously (and infamously) associated with him. The title of his book is “Known and Unknown.” Even project management principles are designed around the fact that there will be uncertainty involved in projects. Some situations will be more predictable, while others are not. This article explores how to think about the unknown unknowns—pitfalls and challenges—associated with building a passkey (FIDO-based authentication credentials) versus the advantages of adopting off-the-shelf solutions and what the significant implications for security, functionality, maintenance, scalability and time-to-market are that need to be addressed.
When considering the implementation of passkeys as an alternative to passwords, organizations often focus on the minimum viable product (MVP) requirements. However, the question arises: What is viable, and what about version 1.1 and beyond? Implementing V1 can be a hurdle, but staying on top of fast-moving technology enhancements means teams need to be ready to adopt new technology. This is when you must weigh starting from scratch against vendors who have experience in passkey/passwordless authentication solutions that are comprehensive, meet current requirements and allow for future expansion, helping organizations avoid dead-ends and keep pace with evolving specifications.
A crucial aspect that today’s passkeys need to support is the many varied environments. Most vendors offer seamless integration with native apps on iOS and Android as well as web apps on any browser. If you are attempting to build this in your own environment, it can be time-consuming and costly to keep up with. And if you are working in highly regulated markets, there are a lot of compliance issues to address. Below, I’ll explore just two areas where dedicated passwordless authentication vendors bring years of experience that allow you to cater to regulated markets, for example, by providing support for device binding on different platforms, including Android, iOS and Windows. This versatility ensures compatibility across a wide range of user devices and uses.
The days of homogenous hardware and software backend environments are gone. Ensuring you have addressed every type and version used within your services can be time-consuming. Too many unknown unknowns can cause delays, but dedicated passwordless authentication vendors with passkey experience can help integrate with an organization’s existing backend infrastructure. Make sure your choice of passwordless vendor seamlessly integrates with cloud Hardware Security Modules (HSMs) and Secret Stores, enabling secure access to other backend services. This integration capability simplifies the implementation process, minimizing the need for extensive code changes and facilitating easy updates to rules and policies.
Building and maintaining a passkey solution in-house comes with its share of challenges. One major concern is keeping up with the evolving FIDO and WebAuthn specifications and incorporating advances into the solution. Staying abreast of the specifications demands time, effort and budgeting for ongoing maintenance, which organizations often overlook when choosing to build their own solution. In contrast, partnering with dedicated passwordless authentication vendors ensures that passkey features remain up-to-date, reducing maintenance burdens, controlling budgets and allowing organizations to focus on core business objectives.
Homegrown development carries inherent unknown unknowns, particularly when implementing a paradigm like passkeys for the first time. Organizations may overlook critical factors or encounter unexpected challenges, resulting in higher costs, delays or compromises on user experience. Partnering with an established passwordless authentication provider mitigates these risks by leveraging their extensive experience and lessons learned from successful passkey deployments for global leaders. This reduces project failure risks and facilitates a smoother implementation process.
At first, choosing to build a passkey solution independently may seem appealing from a cost perspective, but it often fails to account for hidden expenses and missed opportunities; this is, again, where unknown unknowns can start to cost a lot of time and money.
When faced with the unknown unknowns associated with the building or buying a passwordless solution based on the FIDO-based standard, organizations must carefully evaluate the costs, benefits and risks involved. While building a solution from scratch may appear cost-effective or a better fit for existing infrastructure, it often underestimates the maintenance challenges, development risks and missed opportunities. By leveraging a traditional passwordless vendor’s comprehensive passkey features, organizations can ensure a complete, scalable, secure and future-proof implementation, benefiting from the expertise and investment of a trusted industry leader.
Recent Articles By Author