Introducing Passage: Biometric User Authentication Built for Developers

Cole Hecht
January 30, 2022

Today, we’re thrilled to introduce Passage – biometric user authentication built for developers.

Innovation moves fast, and we believe smart technologists generally find the “best” way to do things. That’s why we’ve been puzzled by user authentication. Biometrics are built into many of our phones, tablets, and laptops, yet most of our favorite login pages feel woefully reminiscent of 2012. Why don’t we log in to every website with Face ID, Touch ID, Windows Hello, or our Android fingerprint readers? After all, aren’t those safer and easier alternatives to passwords? Well, yes. But pure biometric authentication has been remarkably difficult to build, until now.

Passage is a tool that helps developers protect and delight their users. With a few lines of code, we simplify the surprisingly complex problem of end-to-end biometric authentication. Seriously. Passage provides a web component that handles every aspect of biometric login and registration in your web app as well as backend libraries to validate user sessions on your server. Between the two, developers can implement truly modern authentication in a few minutes.

If you’re short on time, antsy, or skeptical, feel free to jump right into it. Our quickstart guide walks you through everything, and we hope you’ll find it helpful in understanding exactly what Passage brings to the table.

What a big problem…

We’ve thought a lot about user authentication. A lot. Over the years, we’ve built, assessed, or advised on hundreds of applications using various authentication methods. In doing so, we reached the same conclusion as everyone else: passwords suck.

About one-third of online purchases are abandoned because people can’t remember their passwords.* People have bemoaned and stressed about them since they were introduced around 50 years ago. The security community rallied around password complexity requirements, but quickly realized things weren’t getting better. Users were still struggling to manage their clunky passwords while left vulnerable to common attacks. Two-factor authentication promised to make things better and became fairly mainstream. While certain types of two-factor went a long way to protect users, the “clunky” feeling of passwords only worsened with an additional login step.

We naturally got excited when “passwordless” became a hot topic. Getting rid of passwords is great, but email links and one-time codes don’t significantly improve a user’s login experience. These authentication methods certainly eliminate passwords but fail to address the fundamental authentication problems around security and user experience. We want users to have a secure login experience that is safe, effortless, and delightful.

What an obvious solution!

When Apple introduced Touch ID in 2013, many people saw simple and secure authentication for the first time. Since then, Touch ID and other biometrics have become ingrained in consumer devices, but their utility has been largely limited to unlocking devices or opening a native mobile app (e.g. your bank app). Recently, it’s become possible for developers to access a device’s biometrics directly from a web browser. That’s big news because the safe and delightful login experience associated with native mobile apps is now possible all across the web.

Multi-factor authentication (MFA) has always been stronger than single-factor authentication, but biometrics have the remarkable ability to make two factors feel like one. When a user uses their Face ID for example, they are simultaneously asserting something they are and something they have. What’s more, Passage has built its authentication system on the WebAuthn protocol, which entirely prevents phishing and account takeover attacks. That’s serious security with a single glance or touch.

While we all care about security, user conversions are paramount for most apps and businesses. Abandoned shopping carts are merely a microcosm of password-related friction that exists at critical registration and transaction points all across the internet. A fully biometric authentication system goes beyond security to help sign up more users, convert more transactions, and push top-line higher.

So what’s the catch?

Developers, this one’s for you.

Personally, we’ve never visited a website that allowed us to sign up and log in directly with biometrics. That’s not to say they don’t exist, but they’re far from common. If biometric authentication offers improved security and user experience, it begs the question of why it’s not ubiquitous. We spent a lot of time on that question and realized that it’s remarkably difficult to build.

One of the unique challenges of implementing biometric authentication is managing all of a user’s devices. Not only do they need to log in to an application with Touch ID on their iPad and Windows Hello on their laptop, they also need to be able to log in to the same app on a friend’s desktop computer by doing Face ID on their iPhone. That’s where things get tricky. The multi-device nature of biometrics is riddled with corner cases, gotchas, and security issues, so it’s no wonder that most organizations have kept the status quo. There are just too many risks and unknowns for most developers to roll their own biometric authentication, so we decided to help.

We’ve spent the last year focused on making it easy for developers to implement biometrics in web applications. One of the first things we realized was that a biometric login page had many more states than any other login page – dozens, in fact. So in addition to our authentication API and libraries, we also built a complete authentication system inside of a web component. That means developers can implement the many views, prompts, and errors that go along with biometrics by simply adding a <passage-auth> HTML element to their frontend. Cool, right? On the backend, we’ve built libraries to authenticate users and interact with Passage. We currently support Go, Python, and Node, with more libraries coming soon.

Going Forward

Today, we are proud to announce our public beta. We’ve been working with a closed group of developers, and now we’re thrilled to open Passage to the larger developer community. Our goal is to make authentication the easiest part of building an app, so please sign up for Passage or join our Discord and let us know what you think. In the coming months, we’ll be rolling out native mobile SDKs, customizable user registration, extensibility features, guides, libraries, and more. We’re humbled to be a part of making the internet a little bit better and hope you’ll join us on the journey.


-- Cole & Anna


* https://newsroom.mastercard.com/press-releases/mastercard-identity-check-to-simplify-and-strengthen-online-shopping/