​As an authentication engineer of KINTO, Hoang Pham will present an article about Passkey, which was implemented on the Global KINTO ID platform (GKIDP).
After joining “OpenID Summit Tokyo 2024” and hearing about Passkey combined with OIDC, I thought that I should write something about how Passkey brings much profit to our ID platform.

I. Passkey Autofill on GKIDP

Passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices.
Below is how users can authenticate by passkey with a single click.

Fig 1. Login by Passkey with KINTO Italy IDP

The beauty of Passkey demonstrated by its seamless UX exactly is the same as the “Password recommendations”, so users do not need to know the intricacies of what is different between a Passkey or a password. The system uses asymmetric cryptography behind without a password or anything the user must remember. Just FaceID authentication, and everything is set!

Passkey is the most secure and state of the art on authentication system in the field which has been supported by Android and iOS since late 2022. It is still in development and being upgraded. To ensure our GKIDP (Global KINTO ID Platform) remains up-to-date with the latest technologies, we introduced Passkey Autofill in July 2023, just right after Mercari, Yahoo Japan, GitHub, and MoneyForward integrated it into their respective ID Platforms.

In the next parts, I will explain how we leverage Passkey on Federated login and make GKIDP users more comfortable with our “Global Login” feature.

II. Passkey on Federated Identity

To briefly explain our product, our Global KINTO ID Platform, or GKIDP is the authentication system deployed in Italy, Brazil, Thailand, Qatar, and South American countries for the KINTO services in those locations as of March 2024. By compliance with the GDPR and data protection regulations, we separate GKIDP into multiple Identity Providers (IDPs) located in each country and identify users as one single user’s Global ID through a “Coordinator”. By leveraging Global ID, users may be able to enjoy shared benefits across KINTO services around the world.

Fig 2. GKIDP and Passkey-supported IDPs

In most cases (Fig. 1. Login with Passkey), users just use the local IDP for federated authentication and log in to use KINTO services inside their country. But in our case, Passkey was implemented on each of our IDP (for example, Brazil IDP) to help all RP-relying party applications or “satellite services” (for example, KINTO One Personal or other KINTO services in Brazil) include a Passkey functionality. This advantage was also mentioned at the OpenID Summit Tokyo 2024 in which we participated, so it was good to know we are on the right track to implement Passkey combined with the OpenID Connect protocol.
Additionally, GKIDP has a unique feature to let users, not only log in to the KINTO or KINTO related services inside their country but also outside, if they travel or move to other countries where there are other KINTO services. We call it the “Global login” feature. It contains many steps, but it tries to solve the difficulty for users to remember multiple usernames and passwords from different countries. The implementation of a Passkey can streamline the global user login process, requiring only a few simple steps without the need to remember or input any information. For example, let’s see how the Italy KINTO Go user (same user in the example of Fig. 1) could make use of the global login to access the KINTO Share service in Thailand with just a few clicks in Fig. 3, reducing the log in experience time from an average of 2–3 minutes to around 30 seconds. Users can utilize a single Passkey to access all KINTO services, regardless of whether the local IDP supports Passkey or not.

Fig 3. Global Login with Passkey

The passkey is not only integrated into the local login and global login processes but also into all authentication screens including re-authentications, etc. Once a Passkey is registered, users hardly need a password to verify anything anymore.

III. Passkey and some interesting numbers

Fig 4. Passkey registered users

In our Italy IDP case, we received 875 users who registered and using Passkey, occupying 52.2% of new registrations since Passkey was released. We hope that this number will increase as users update their OS to support Passkey Autofill (iOS >16.0 and Android> 9)
In Brazil, despite the focus on Desktop PC users with KINTO Brazil, where Passkey isn't widely used on Microsoft PCs, we still have more than 20% among the 1176 newly registered users.

IV. Conclusion

As KINTO engineers, we are very excited to introduce new technologies for a passwordless future and strengthen user data protection. Leveraging Passkey, users can log in with ease with the highest level of security with this method nowadays. We are looking forward to connect many new KINTO services to our IDP(s) hub: GKIDP.

Another article from Hoang Pham:
https://blog.kinto-technologies.com/posts/2022-12-02-load-balancing/