The Great Password Extinction is Already Underway

Imagine a world without passwords.

You can still log into all your online accounts in this new, passwordless world. From WordPress sites to your bank, it’s easier and more secure than ever to create and access online accounts— just without any passwords.

Wouldn’t that be a relief? Good news: the global password extinction is already happening, and life on the other side of it is better.

In late 2022, Apple introduced passkey support to iOS 16 and MacOS 13 “Ventura.”

Yesterday, Google publicly announced they are “rolling out support for passkeys across Google Accounts on all major platforms.”

At iThemes, we’re very proud that our Security Pro product was the first to bring passkeys and other passwordless authentication methods to WordPress.

How is a Passwordless Life Possible?

About a month after I started using an Apple Watch, it began to automatically unlock and log into my desktop and laptop computers that are running the current version of MacOS. I don’t recall doing more than turning on MacOS passkey support so I could use it with my Google accounts and iThemes Security.

Previously the Apple Touch biometric login was my easiest password alternative. Now it’s my watch. Sometimes, if I’ve been away long enough, I still need to type in my password, but my watch is making that a lot less common, thanks to a common passkey connected to my Apple ID and all my Apple devices.

Hardware keys, like a YubiKey, will give you the same passwordless login experience — no Apple devices necessary.

Windows and Android devices support passwordless logins, also thanks to passkeys.

What Are Passkeys?

You can thank open source for passkeys. Passkey technology is based on open standards set by the FIDO (“Fast Identity Online”) Alliance. Developed by the W3C, the WebAuthn API is the key part of the FIDO2 standard that enables passkeys to quickly and easily perform cross-platform, passwordless authentication.

Passkeys are unique, encrypted digital identifiers generated by an authenticating device, like your smartphone. Public key cryptography is used to generate a public and private key pair. Together this key pair forms your passkey on the authenticating device. Each of your devices may have a unique private key, but your public key is shared over the web. Probably, you will never see either of them. No one will.

Your phone or other passkey-supporting device verifies you as an authorized user when you enter a password, PIN, or pass a biometric challenge. Once you do that, your phone and its passkey function as a key to additional devices and applications. Instead of having to type in a password again on your laptop and again to log into WordPress, your phone tells your laptop to let you in. Then your laptop’s operating system tells your browser to tell WordPress to let you in — all without a password.

If your devices and websites are set up for passkeys, this is a very smooth experience. You might need to provide a PIN or pass a quick biometric challenge, but it’s much simpler than filling out three different login forms without recycling your passwords or using weak ones. And if you hate two-factor authentication (2FA), there’s no need to use it anymore.¹

Why Passkeys Will Replace Passwords

Initially, passkeys are emerging as an authentication option alongside passwords and 2FA. You can use any of them. But over time, few people will want to retain insecure passwords or deal with time-consuming 2FA codes. Passkeys will quickly become the preferred option for the following reasons:

1. Enhanced Security. One of the primary reasons passkeys will replace passwords is the enhanced security they offer. Many data breaches result from weak or stolen passwords, highlighting the vulnerability of traditional password-based authentication. The public key cryptography behind passkeys is significantly more challenging to crack.

2. Better User Experience. Remembering many complex passwords for your online accounts can be difficult and often leads to poor password practices. Passkeys simplify the authentication process. You only need a device that stores your passkey to access any account that supports passkey authentication. This convenient user experience encourages the adoption of passkeys as a secure authentication method.

3. Password Managers Optional. Passkeys may diminish if not eliminate the need for traditional password managers. While password managers offer an alternative to storing multiple passwords, they also introduce additional risks. These password vaults can become a single point of failure. As we’ve seen with LastPass, a breached password management platform can expose all its customer accounts, passwords, and personal information.

The Passwordless Future: What It Will Look Like

There are three big upsides to the eclipse of passwords by passkeys, but their common thread is the way passkeys benefit both security and simplicity.

The Upsides

1. Seamless Authentication. As passkeys become more prevalent, the process of authenticating and accessing online services will become increasingly seamless. Users will be able to log in to their accounts by simply using their passkey-storing devices or biometric identification methods, such as fingerprint or facial recognition.

2. Multi-Factor Authentication Made Easy. Passkeys inherently support multi-factor authentication (MFA) by combining something the user knows (the passkey) with something the user has (the device storing the passkey). This seamless integration of MFA into the authentication process will lead to a more secure online environment without sacrificing user experience.

3. Reduction in Data Breaches. As passkeys become the new standard for authentication, the number of data breaches resulting from weak or stolen passwords is likely to decline. The enhanced security provided by passkeys will make it harder for cybercriminals to compromise user accounts, leading to a more secure digital landscape.

So far, it’s been rare for secure authentication to come with a good user experience. Passkeys are a big exception. That’s fantastic, but there are always downsides.

The Downsides

1. Sophisticated Phishing and Social Hacking. Passkeys may be almost impossible to steal and crack, but criminals never give up when security increases — they adapt to new tools and find neglected weak points to exploit. Today, AI tools are making it easy for anyone to appear fluent in any language, which is a huge asset to anyone who wants to trick others into trusting them. Big password breaches may fade into the past, but phishing and social hacking may become more sophisticated and prevalent.

2. Physical Security and Privacy. My Apple devices are unable to tell it’s not me when my left-handed daughter wears my watch on her smaller wrist on the opposite hand. All she needs is my watch and my 4-digit PIN to log in to my computer.² A thief could do that — so could police.³ As our relationships with our devices become more physically entangled, many difficult questions about personal privacy arise.⁴ Online anonymity, which is already in decline, may vanish.

3. People Will Share Passkeys Too. Password managers are widely used to share passwords, which is a terrible security practice however it’s done. A shared password will eventually become a stolen password. Fortunately, you’re unlikely to memorize, write down, or share a passkey with a co-worker or friend, but you can use some password managers to share passkeys. There are secure ways to share a passkey with others’ passkey-equipped devices, but I am doubtful how well this will work out in practice. 1Password and Dashlane support passkeys and 1Password even allows you to store and share them. However you do it, password sharing is inherently insecure and rests heavily on trust between people — see points #1 and #2 above.

Security Thinking Versus “Don’t Make Me Think”

Whatever challenges lie ahead in the passwordless future, we’re going there. Passwords are broken — they’re a terrible method for authentication and need to die off — the sooner the better. Embracing passwordless authentication will not only improve our online experiences but help safeguard our digital lives. Not having to worry about password security and management so much is a huge relief.

On the other hand, “Don’t Make Me Think” is a great goal in user experience and interface design. but it’s terrible for security. Simplicity helps efficiency and imposes a lower cognitive burden on users. Passkeys deliver that simplicity really well. But they shouldn’t make us more complacent about potential security risks.

Powered by passkeys and their adoption on all major platforms, the future of the web will be a more secure and user-friendly experience when we’re accessing online services. The days of struggling to remember complex passwords (and sharing or recycling them) will soon be a thing of the past, and that’s a definite improvement. It’s high time to raise our baseline security standards too. Passkeys do that, and I expect they will help make cybercrime, fraud, and identity theft more difficult and rare.

Passkeys alone won’t eliminate all the security risks and threats on the Open Web, however. They’re absolutely worth adopting, but as you adopt them, think about how they might change and deepen your security thinking and practices.

Notes:

1. Reports like “I’ve locked myself out of my digital life” and “Gmail 2FA causes the homeless to permanently lose access 3 times a year” show the downsides of two-factor authentication.
2. An Apple Watch may not be the best security key without a biometric authentication of its own yet, like Touch ID. Based on some of Apple’s recent patents, a palm-based version of Touch ID may be in the works.
3. The Electronic Frontier Foundation has expressed concern about possible civil rights violations if law enforcement uses passkey access to one device to search many more devices and online accounts.
4. It may also be possible to identify unique biometric signatures from physical data collected by watches and similar devices since they are able to detect the early onset of illnesses like COVID.

The post The Beginning of the End of Passwords appeared first on iThemes.