4 January 2024

Are You Ready for the Death of the Password?

Eric Geller

For as long as the web has existed, the password has been the internet’s imperfect protector. Finally, that’s changing, with 2023 marking what increasingly seems like the beginning of the end for that frustrating, flawed technology.

Over the past 12 months, a flood of big-name companies — from Amazon and CVS to PayPal and Uber — have begun letting people sign into their accounts with an easier and more secure technology known as passkeys. They’re safer from theft and require less human work, while passwords “are hard to use and easy to break,” said Christiaan Brand, product manager for identity and security at Google.

Big tech firms like Google, Apple and Microsoft have spent more than a decade preparing for this moment, and now their work is bearing fruit.

“I expect 2024 to be a big year” for passkeys, said Jeremy Grant, the managing director of technology business strategy at the law firm Venable and coordinator of the Better Identity Coalition, which pushes for improved login technologies. “As more case studies emerge showing how companies and government agencies have implemented passkeys with great success, I think you’ll start to see a tidal wave of new adopters.”

Passkeys have a successful login rate four times higher than that of passwords, according to Google data, and an industry survey shows growing interest in and familiarity with the technology, with 57% of Americans expressing openness to adopting it.

Fundamentally, passkeys are pieces of code stored on people’s personal devices that talk to companion pieces of code stored on websites when someone tries to log in. After the user unlocks their device — perhaps with a fingerprint or face scan — and gives it permission to talk to the website, the device sends its snippet of private, encrypted code to the website, and the website uses its own corresponding public code to authenticate the passkey. The resulting digital handshake verifies a person’s identity for the website and unlocks the account.

The underlying technology has been around since the 1970s, but only recently did people start carrying around devices with enough computing power to make an application of the technology like passkeys viable.

First, the private part of the passkey is only stored on a user’s personal device — the website only verifies this information, rather than keeping a copy of it. This makes it impossible for the website to accidentally expose the private code in a data breach.

Second, passkeys are automatically generated and unique to every website, so users don’t have to create, memorize and update dozens of unique and complex strings of text. This not only reduces the burden on users, but it also eliminates the risks of people creating weak passwords and reusing them.

Third, passkeys use technology to automatically match public and private codes in the background. This means that users don’t have to verify that they’re typing the right password into the right website or watch out for impostor websites run by hackers.

Because they require almost no work by users and offer better protection from hackers than passwords do, passkeys are a dramatic leap forward that have attracted widespread praise from security experts.

“They enable us to move people from something that offers terrible security and terrible user experience — a password — to something that is both much more secure and light years easier to use,” Grant said.

That usability piece is key, given that the hardest part of getting people to adopt new technologies is convincing them to do more work than they were doing before.

“Passkeys allow us to meet people where they already are and leverage the tools they already use,” said Rachel Tobac, the CEO of the consulting firm SocialProof Security.


THE ARRIVAL OF the passkey, and its dramatic expansion in 2023, have been a long time coming.

“We’ve been talking about ‘killing the password’ for years,” said Grant, who helped oversee the Obama administration’s National Strategy for Trusted Identities in Cyberspace from 2011 to 2015.

But in addition to needing devices with enough computing power to manage the rapid exchange of public and private codes, the world’s leading tech companies needed to reach an agreement about the exact way to design this exchange and build it into their operating systems, websites, internet browsers and gadgets. The watershed moment came in May 2022, when Apple, Google and Microsoft agreed to integrate passkeys into their products using an industry-wide standard. This year, the three companies gradually rolled out the ability to store passkeys on iPhones and iPads, Android devices and Windows computers. And in May, Google started letting people sign into its own services with passkeys.

“We’ve finally found a solution that will one day bring us to that passwordless future we set out for 10-plus years ago,” said Brand, the Google product manager.

Getting Big Tech to agree on a uniform approach to passkeys was critical. Passkeys will only be able to replace passwords if they’re just as ubiquitous and standardized.

With the tech giants all on the same page, major companies from every industry began jumping on the passkey train, including Amazon, Best Buy, CVS, eBay, Home Depot, Instacart, PayPal, TikTok, Uber and WhatsApp.

Even 1Password, a 17-year-old company that built its business on offering a password manager so people didn’t have to memorize all their different credentials, has embraced the passkey trend. In September, 1Password began letting users store their passkeys in its service. It even launched a directory of companies using passkeys, with a tab where people can vote for other companies that should add them. (Steam, Netflix and Disney+ currently top the list.)

Steve Won, chief product officer at 1Password, said the passkey is the first login technology that “balances both security and convenience — equally.”

IF 2023 WAS a big year for passkeys, security experts are bullish about their rapid expansion in the years to come.

“The more organizations that roll out passkeys, the more we'll see passkeys provided as an option across industries as competitors keep up with each other,” said Tobac.

Grant highlighted the fact that mainstream companies like Amazon, CVS and Home Depot have embraced passkeys. “When you have big-brand players like this leading the charge,” he said, “it sends a message to the rest of the market.”

And as passkeys spread, they’ll likely win over skeptics and land on the radar of people who previously hadn’t heard about them.

“I expect most major sites will adopt passkeys in 2024 and many users will take advantage,” said Alex Weinert, vice president and director of identity security at Microsoft.

Still, it will take a long time for passkeys to completely replace passwords. Won predicted that it would be “at least another five years” before the technology is available pretty much everywhere. In part, that’s because of several awareness and implementation problems.

Because passkeys live on specific devices and people can’t memorize them, they can be lost in ways that passwords can’t be. “If you lose your device or get a new one, you may have to go through an account recovery process to ‘reincarnate’ all of your passkeys into your new device,” Grant said. “It represents a notable shift from the old user experience where you can just type something in on any device.”

This isn’t an insurmountable problem, but companies will have to clearly explain how to deal with it. One option: a passkey manager like 1Password’s. Won said his company has spent the past year “getting our customers comfortable with passkeys” through blog posts, webinars and podcasts. The company is currently testing the ability to log into its own service with a passkey and plans to release that feature to all users next year.

Passkey adoption could also suffer if small companies find it difficult to implement the technology. Here, too, 1Password is trying to help, offering a service that allows companies to add the feature “in seconds.”

Beyond solving tech challenges, passkey promoters will have to overcome plain old-fashioned inertia. For all their flaws, passwords have become familiar. People may hate them, but they understand how to use them. “It’s going to take time for people to get used to passkeys,” Brand said. “Passwords are all we’ve known for countless years.”

In the coming years, Tobac said, “it will be important for us all to clearly communicate what passkeys are, how to use them and back them up securely.” Google and Microsoft plan to make passkeys easier to understand and use in 2024, Brand and Weinert said.

The federal government could help raise awareness of passkeys by integrating them into services that Americans interact with on a regular basis, such as benefits portals and the IRS’s tax-filing website. That would also “significantly reduce compromise and fraud risks at those sites,” Weinert said.

When passkeys are ubiquitous across government and business websites, Weinert said, that will “change the conversation for everyone else from ‘Have you heard of it?’ to ‘When will you do it?’ in 2024.” And by 2025? At that point, Weinert expects, it’ll be “‘Why haven’t you done it yet?’”

No comments: