Companies from Google to Mastercard are close to killing off passwords forever
Like many people, I gave up on trying to remember all my passwords years ago and handed over that responsibility to a password manager. But offloading my memory to a password manager comes with its own set of problems as companies' sites keep layering in more security. Each login feels like a heist-style safe cracking: Unlock the password manager with its own password. Click. Copy and paste a unique, unpronounceable string of characters into the sign-in form. Click. Confirm it's me with a six-digit code sent to my email or phone. Click. And I'm in.
And that's for just one account — I often have to repeat that process several times a day just to complete basic tasks. I'm not alone: The average person has accumulated close to 100 passwords to access everything from their email inboxes and bank accounts to streaming services and their local café's membership program.
Despite their abundance, passwords aren't a foolproof way to keep people's information safe. They're notoriously easy to crack: Microsoft reports nearly 1,287 password attacks every second, or about 111 million daily. And Cybersecurity Ventures reports that 44 records are stolen from breaches every second. Given the fallibility of a string of letters, numbers, and characters, tech firms have layered a series of defenses on top of passwords since their introduction in the 1960s — from mandating the codes include both numbers and letters to adding a second authentication step, such as security questions. These added complexities have done little to ward off break-ins. Last year alone, over 24 billion login credentials were exposed, an increase of 65% compared with 2020.
To solve the password problem, a coalition of some of the most influential tech firms, including Apple, Amazon, Google, and Microsoft, created the FIDO Alliance, which has spent the past decade working on a login system that would kill the archaic password once and for all. The FIDO solution is almost here, and I got to try it out for a few weeks. Though we're nowhere close to an entirely password-free future, the system I tried is already a game changer.
The scourge of passwords
The birth of the internet posed an immediate problem for businesses hoping to operate online. How do we make sure someone is who they say they are? To solve the issue, businesses turned to what Ziming Zhao, a computer-science professor at the University at Buffalo, told me was the simplest solution: text-based logins, or passwords. A study by the University of Cambridge compared two decades of proposals for alternatives to passwords, and each did worse than passwords on deployability — a measure of how easy it was for businesses to set them up.
Despite their ease of use, passwords come with significant downsides: More than 80% of data breaches are the result of weak passwords. While cybersecurity experts have found ways to tighten online privacy, most of the time the responsibility to keep data safe ultimately rests on people — and people are not very reliable. Even though most people know when their credentials are insecure, only a few people bother to do anything about it. And additional security measures, such as two-factor authentication, are just Band-Aids on the problems that passwords pose. There's always a new threat around the corner, Christiaan Brand, the product manager of Google's identity and security team, told me: "We're at the point where we really need to start from scratch."
The quest to kill passwords isn't new. In 2004, Bill Gates famously envisioned the death of traditional passwords, and there have been several attempts to replace them. But none have been able to find an alternative — until now. FIDO Alliance's solution, referred to as "passkeys," shifts the burden of security from the user to technology. With passkeys, you don't have to worry about saving unique passcodes for each website, nor do you have to navigate a maze of security steps to log in. In FIDO's passwordless world, you are the password. All you have to do to log in anywhere is scan your face or fingerprint.
"You literally cannot steal a password if the password doesn't exist," Steve Won, the chief product officer of 1Password, a premium password manager and a member of the FIDO Alliance, told me.
If successful, passkeys can put to rest some of the most pressing online security concerns. Following FIDO's latest update, several major companies in the past year have rolled out support for passkeys to their devices and websites. Platform owners from Apple to Mastercard are on board, so there's a real chance they can take hold. Florentin Putz, a security researcher at the TU Darmstadt in Germany, told me that the widespread support among tech companies was what made passkeys exciting.
How passkeys work
To use the new passwordless login, you first need to set up a passkey on your laptop, phone, tablet, or other device. You don't need to install an extra app — Apple, Microsoft, and Google now offer passkey systems by default.
When I want to create a passwordless login for one of my accounts, such as for Best Buy or Google, I visit their passkey sign-up page. The website or app scans my face or fingerprint. If my device doesn't have a biometric scanner, it asks me to enter the device's lockscreen PIN or password. (This step is a temporary solution for devices that aren't able to scan your face or fingerprint to verify you — but the goal is to remove the PIN requirement.) Once the site has verified my identity, it generates a unique pair of virtual keys. One of them remains on the website's server. The other is private and stays on my device.
The next time I log in to that account, all I have to do is tap a little key icon in the login form. The site then verifies my identity with Face ID, and in seconds, I'm in. I don't have to punch in a long alphanumeric password or deal with any extra login steps, such as two-factor authentication. Behind the scenes, the website or app reads the private key I saved on my device earlier, and it unlocks the door only if it matches with the one on its server. Though it sounds complex, it all takes place in the background and happens instantly — you don't have to remember or manage a thing. It's as simple as unlocking an iPhone.
It's also far safer and more private than passwords. Because your biometric information and passkeys never leave your devices, there's little chance of your logins getting compromised in a data breach. In the few weeks I spent with passkeys, I found their convenience and hands-free authentication unmatched — but the system is still far from perfect.
Mass adoption is needed
The biggest hang-up with passkeys is how many sites accept them. Right now, the list of websites and apps with passkey support is limited to a couple dozen companies, and I had to resort to text-based passwords for most of the services I visited frequently.
But the passkey movement is spreading: More companies are joining the FIDO Alliance and adopting passkeys. Andrew Shikiar, the executive director of the coalition, said that the number of firms wanting to join the alliance "demonstrates the imperative of the password problem." He added that "momentum will significantly increase over the next 12 to 18 months."
The other big challenge is connection across different kinds of devices. At the moment, when you set up a passkey with Apple or Google, they sync it only to their ecosystems. That's great if all of your devices are from one company — your Apple passkey would work across an iPhone, iPad, and MacBook. But if you have an iPhone and a PC laptop, you couldn't easily transfer your passkey between those devices. To log on, you would have to visit the website you want to log onto, enter your username, and then link via Bluetooth with a nearby device that's storing your passkey. If you don't have a device with the passkey you need close by, you'll have to fall back on your traditional password. So if you lost your phone where your passkey was stored, you would need to log in to the service on your computer with a traditional password.
While this process ensures a hacker can't manipulate your accounts (unless they're physically within a few meters of you), it poses a bunch of usability challenges. Bluetooth sharing, in general, is finicky. On several occasions, when I tried to send passkeys between devices, it failed. Plus, FIDO equips vendors like Apple with far too much control, allowing them to make it hard to export passkeys to non-Apple devices. Research by Istanbul Technical University found that inconsistent passkey interfaces across platforms could significantly deter users from switching to them.
This is also where third-party password managers such as 1Password can help. I use 1Password as my password manager, so I tried out its new passkey system, which helped solve some of the interoperability issues. Since 1Password's apps are available across all platforms, it can easily sync my passkeys no matter the device I'm on. When I switched from a Mac to a Windows PC, for example, I didn't have to fiddle around with FIDO's cumbersome option for QR code sharing to sign in to Best Buy with a passkey — 1Password's Chrome add-on automatically logged me in.
While 1Password's passkey update at the time of writing was limited to computers, Won told me support for Android phones was on the way. On the other hand, iPhones are another roadblock, as Apple has refused to let third-party password managers store passkeys on its devices.
Participants in a study that Putz, the security researcher, conducted raised another concern with the passkey system. Many users reported sharing accounts with friends and family members, complicating the use of passkeys that rely on biometric information. This may be useful for some businesses, including streaming platforms, that are already cracking down on account sharing, but it poses a problem for customers who are trying to legitimately use a shared service. At the moment, websites that support passkeys also offer a traditional login so that when I want to share account access with someone who's, say, in another country, I can just text them the password. But if a site had only a passkey option, there would be no way to let people use my account unless the other person was in my Bluetooth range.
That's by design: Firms such as Google don't want you to share a passkey because that would beat the entire premise of a passwordless future, and leave it vulnerable to phishing — a common kind of attack where hackers trick their targets by pretending to be someone they are not.
"Similar to our recommendations when it comes to other forms of authentication, we advise against the sharing of passkeys, passwords, etc. — even if you think you're sharing with a trusted source," Google's Brand said. However, 1Password says it plans to allow its users to share passkeys remotely.
Shikiar agreed that the movement to passkeys would be a slow migration, but he expects most of these issues to be resolved in the next three to five years as the costs of making the transition are outweighed by increased revenue from reduced data breaches and fraud.
The University at Buffalo's Zhao told me that there were still vulnerabilities with passkeys. For instance, to set up a new iPhone, you still need your Apple ID passcode, or PIN — a loophole that could prove fatal as recent reports have highlighted how criminals can take over a person's digital life simply by eavesdropping on their lockscreen PIN. Yet Zhao is rooting for passkeys.
They "do not completely eliminate security issues," he told me, adding: "But they do raise the bar for hacking attempts, making them more difficult."
In all, the ability to navigate the internet without jumping through countless security hoops is refreshing. The flaws I ran into felt like nothing more than first-generation bugs. Passwords won't disappear overnight, but what FIDO Alliance has accomplished has convinced me our passwordless future is just around the corner.
Shubham Agarwal is a freelance technology journalist from Ahmedabad, India whose work has appeared in Wired, The Verge, Fast Company, and more.