Passkeys were supposed to replace passwords, but they're failing for the most predictable reason

6 min read Original article ↗

4

Sydney Butler is a technology writer with over 20 years of experience as a freelance PC technician and system builder and over a decade as a professional writer. He's worked for more than a decade in user education. On How-To Geek, he writes commerce content, guides, opinions, and specializes in editing hardware and cutting edge technology articles.

Sydney started working as a freelance computer technician around the age of 13, before which he was in charge of running the computer center for his school. (He also ran LAN gaming tournaments when the teachers weren't looking!) His interests include VR, PC, Mac, gaming, 3D printing, consumer electronics, the web, and privacy.

He holds a Master of Arts degree in Research Psychology with a minor in media and technology studies. His masters dissertation examined the potential for social media to spread misinformation.

Outside of How-To Geek, he hosts the Online Tech Tips YouTube Channel, and writes for Online Tech Tips, Switching to Mac, and Helpdesk Geek. Sydney also writes for Expert Reviews UK.

He also has bylines at 9to5Mac, 9to5Google, 9to5ToysTom's Hardware, MakeTechEasier, and Laptop Mag.

Passwords are a problem. Not only have they reached a point where a "strong" password is one no human can remember (much less remember dozens of them), but they simply aren't as secure as they need to be. Passkeys combine a public and private cryptographic key pair with local authentication such as a fingerprint or facial scan. The device can prove its identity beyond doubt, and the assumption is that only you can unlock it.

When it works, passkeys feel like a revelation, but I'm willing to bet that most of the time you're still messing around inside your password manager, and passwords are still the main way you unlock access to things. So if passkeys are so great, why do we still have passwords?

Most users still don’t know what a passkey is

We fear the unfamiliar

windows icons showing new passkey hello iconography. Credit: Windows

I think the biggest problem by far is that passkeys just sort of happened. People were going about their business on the internet and the next time they try to log in, they're offered the option of using a passkey. What happens from this point is anyone's guess. Depending on how pushy the website is, many people will just select "skip" or whatever else lets them log in as usual.

However, for the curious (or inattentive), tapping on that passkey option can lead you down a rabbit hole with little explanation. I write about internet security and computers for a living, and I would not even be able to figure out what the heck a "passkey" is based on the information a site offers. Not a single website I've encountered, even from big players, adequately explains how it works or why you should use it in simple terms. They just browbeat you through the steps, and now you've committed to a new security method that might not be the right one for your risk profile.

Websites are afraid to force adoption

Is the risk worth the reward?

The other side of the coin is how noncommittal websites have been. Instead of making passkeys mandatory, it's just become another option. Websites weren't this timid when it came to making two-factor authentication mandatory or enforcing the most inane rules for "strong" passwords, so what's up?

I think this probably exposes one of the biggest weaknesses in the passkey system. Since your passkey is linked to a physical device that holds a local private encryption key, you're in deep trouble if that device is lost or breaks for any reason, and you don't have cloud-synced backups. Sure, you can have multiple devices with passkeys, but you still need a backup system, so people can securely access things if the primary authentication method fails.

PayPal log in screen with the 'Log in with a Passkey' button.

However, if you make something opt-in, most people are going to take the path of least resistance and simply stick with the system they already know.

Also, if a traditional password system stays in place as a backup for passkeys, do passkeys really make things more secure? The password system is still there as an attack vector, just as it's always been. The only thing the passkey achieves is slightly less friction, but I was already using my fingerprint to authorize my password autofill, so do passkeys really make a practical difference?

Real-world friction is slowing momentum

People just want to get on with it

My daily experience with passkeys shows something even worse. Often, a passkey has even more friction than just tapping in a code to autofill a password field.

Scanning a QR code to use a passkey stored on my iPhone takes far too long sometimes, and even when going through the whole song and dance doesn't guarantee the passkey will work properly. Often a website will wait until the very end to let me know the passkey isn't acceptable and making me fall back to a password with 2FA anyway.

A QR code to sign in with passkey from another iPhone, iPad or Android device.

This is one of the reasons I've been forced to make passkeys on multiple devices, since usually the on-device passkey is the most reliable way to log in. But, I certainly don't feel comfortable leaving so many passkeys around on different devices.

The predictable reason they’re stalling

The path of least resistance

I think passkeys are a step in the right direction, but the launch and execution has been more than a little rough around the edges. I'd like to leave passwords behind as much as the next person, but I also know that when you give the average person a choice to try something new or keep things the way they are, they'll tend to choose something that's familiar and comfortable.

If the cybersecurity industry wants mass adoption of passkeys, then websites have to actively market them, and the interoperability and ease of use for passkeys needs some attention. Passwords are legitimately terrible for security and are vulnerable to a long list of attacks, but the way things are right now, passkeys just aren't ready to convince anyone to embrace them. The bottom line is that if people don’t understand the thing that’s supposed to replace passwords, they’ll keep typing passwords instead.