Yesterday, Google announced “the beginning of the end of the password.” By this time next year, you may not be using passwords anymore.
The Great Password Extinction is Already Underway
Imagine a world without passwords.
You can still log into all your online accounts in this new, passwordless world. From WordPress sites to your bank, it’s easier and more secure than ever to create and access online accounts — without passwords.
Wouldn’t that be a relief? Good news: the global password extinction is already happening, and life on the other side of it is better.
In late 2022, Apple introduced passkey support to iOS 16 and MacOS 13 “Ventura.”
Yesterday, Google announced they are “rolling out support for passkeys across Google Accounts on all major platforms.”
At iThemes, we’re very proud that our Security Pro product was the first to bring passkeys and other passwordless authentication methods to WordPress.
How is a Passwordless Life Possible?
About a month after I started using an Apple Watch, it began to automatically unlock and log into my desktop and laptop computers that are running the current version of MacOS. I don’t recall doing more than turning on MacOS passkey support to use it with my Google accounts and iThemes Security. Apparently, this also allowed my watch to become a trusted passkey device.
Previously the Apple Touch biometric login was the most accessible password alternative I had. Now it’s my watch. Sometimes, if I’ve been away long enough, I still need to type in my password, but my watch is making that a lot less common, thanks to a common passkey connected to my Apple ID and all my Apple devices.
Hardware keys, like the YubiKey, will give you the same passwordless login experience — no Apple devices necessary.
Windows and Android devices support passwordless logins, also thanks to passkeys.
What Are Passkeys?
You can thank open source for passkeys. Passkey technology is based on open standards the FIDO (“Fast Identity Online”) Alliance sets. Developed by the W3C, the WebAuthn API is part of the FIDO2 standard. It’s WebAuthn that enables passkeys to quickly and easily perform cross-platform, passwordless authentication.
Passkeys are unique, encrypted digital identifiers generated by an authenticating device, like your smartphone. Public key cryptography is used to create a public and private key pair. Together this key pair forms your passkey on the authenticating device. Each of your devices may have a unique private key, but your public key is shared over the web. Probably, you will never see either of them. No one will.
Your phone or other passkey-supporting device verifies you as an authorized user when you enter a password, a PIN, or pass a biometric challenge. Once you do that, your phone and its passkey function as a key to additional devices and applications. Instead of having to type in a password again on your laptop and again to log into WordPress, your phone tells your computer to let you in. Then its operating system tells your browser to ask WordPress to let you in — all without a password.
If your devices and websites are set up for passkeys, this is a very smooth experience. You might need to provide a PIN or pass a quick biometric challenge, but it’s much simpler than filling out three different login forms without recycling your passwords or using weak ones. And if you hate two-factor authentication (2FA), there’s no need to use it anymore.1
Why Passkeys Will Replace Passwords
Initially, passkeys are emerging as an authentication option alongside passwords and 2FA. You can use any of them. But over time, few people will want to retain insecure passwords or deal with time-consuming 2FA codes. Passkeys will quickly become the preferred option for the following reasons:
- Enhanced Security. One of the primary reasons passkeys will replace passwords is the improved security they offer. Many data breaches result from weak or stolen passwords, highlighting the vulnerability of traditional password-based authentication. The public key cryptography behind passkeys is significantly more challenging to crack.
- Better User Experience. Remembering many complex passwords for your online accounts can be difficult and often leads to poor password practices. Passkeys simplify the authentication process. You only need a device that stores your passkey to access any account that supports passkey authentication. This convenient user experience encourages the adoption of passkeys as a secure authentication method.
- Password Managers Optional. Passkeys may diminish, if not eliminate, the need for traditional password managers. While password managers offer an alternative to storing multiple passwords, they also introduce additional risks. These password vaults can become a single point of failure. As we’ve seen with LastPass, a breached password management platform can expose all its customer accounts, passwords, and personal information.
The Passwordless Future: What It Will Look Like
There are three big upsides to the eclipse of passwords by passkeys, but their common thread is the way passkeys benefit both security and simplicity.
- Seamless Authentication. As passkeys become more prevalent, the process of authenticating and accessing online services will become increasingly seamless. Users will be able to log in to their accounts by simply using their passkey-storing devices or biometric identification methods, such as fingerprint or facial recognition.
- Multi-Factor Authentication Made Easy. Passkeys inherently support multi-factor authentication (MFA) by combining something the user knows (the passkey) with something the user has (the device storing the passkey). This seamless integration of MFA into the authentication process will lead to a more secure online environment without sacrificing user experience.
- Reduction in Data Breaches. As passkeys become the new standard for authentication, the number of data breaches resulting from weak or stolen passwords is likely to decline. The enhanced security provided by passkeys will make it harder for cybercriminals to compromise user accounts, leading to a more secure digital landscape.
So far, it’s been rare for secure authentication to come with a good user experience. Passkeys are a big exception. That’s fantastic, but there are always downsides.
- Sophisticated Phishing and Social Hacking. Passkeys may be almost impossible to steal and crack, but criminals never give up when security increases — they adapt to new tools and find neglected weak points to exploit. Today, AI tools are making it easy for anyone to appear fluent in any language, which is a huge asset to anyone who wants to trick others into trusting them. Big password breaches may fade into the past, but phishing and social hacking may become more sophisticated and prevalent.
- Physical Security and Privacy. My Apple devices are unable to tell it’s not me when my left-handed daughter wears my watch on her smaller wrist on the opposite hand. All she needs is my watch and 4-digit PIN to log in to my computer.2 A thief could do that — so could the police.3 As our relationships with our devices become more physically entangled, many difficult questions about personal privacy arise.4 Online anonymity, which is already in decline, may vanish.
- People Will Share Passkeys Too. Password managers are widely used to share passwords, which is a terrible security practice however it’s done. A shared password will eventually become a stolen password. Fortunately, you’re unlikely to ever see, let alone memorize, write down, or email a passkey to a co-worker or friend. However, you can use some password managers to store and even share passkeys now. There are secure ways to do this, but I am doubtful how well it will work out in practice. However you do it, sharing secrets is inherently insecure. (A secret shared is not a secret anymore.) Sharing sensitive data or information rests heavily on trust between people, and that is always a weak bond — see points #1 and #2 above.
Security Thinking Versus “Don’t Make Me Think”
Whatever challenges lie ahead in the passwordless future, we’re going there. Passwords are broken — they’re a terrible method for authentication and need to die off — the sooner, the better. Embracing passwordless authentication will improve our online experiences and help safeguard our digital lives. Not having to worry about password security and management so much is a huge relief.
On the other hand, “Don’t Make Me Think” is an excellent goal in user experience and interface design, but can be a disaster for security. Simplicity in design enables users’ efficiency and imposes a lower cognitive burden on them. Passkeys deliver that simplicity exceptionally well. But they shouldn’t make us more complacent about potential security risks in a world of ever-evolving threats.
Powered by passkeys and their adoption on all major platforms, the future of the web will be a more secure and user-friendly experience when we’re accessing online services. The days of struggling to remember complex passwords (and sharing or recycling them) will soon be a thing of the past, and that’s a definite improvement.
It’s high time to raise our baseline security standards too. Passkeys will do that, and I expect this will help make cybercrime, fraud, and identity theft more difficult and rare. Start using them now, and if you have WordPress sites, consider making passkeys an option for logging into them. Keep thinking about security too. Ask what security means and how threats may change in the new context of a world without passwords.
- Reports like “I’ve locked myself out of my digital life” and “Gmail 2FA causes the homeless to permanently lose access three times a year” show the downsides of two-factor authentication.
- An Apple Watch may not be the best security key without a biometric authentication, like Touch ID. Based on some of Apple’s recent patents, a palm-based version of Touch ID may be in the works.
- The Electronic Frontier Foundation has expressed concern about possible civil rights violations if law enforcement uses passkey access to one device to search many more devices and online accounts.
- Identifying unique biometric signatures from biological data collected by watches and similar devices may also be possible since they can detect the early onset of illnesses like COVID.
Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.