Volker Schwaberow
Volker Schwaberow
A Reality Check on the Promise to Eliminate Passwords

A Reality Check on the Promise to Eliminate Passwords

November 20, 2024
8 min read
Table of Contents

A Reality Check on the Promise to Eliminate Passwords

I keep hearing about passkeys being promoted as a revolutionary solution to eliminating the need for passwords. Tech giants like Apple, Google, and Microsoft promise a future free from the hassle of remembering complex strings of symbols, numbers, and outdated pet names. The marketing message is sleek and confident, envisioning a password-free future that is more secure and user-friendly. Regardless, I can’t help but feel skeptical. Is this promise too good to be true? Are we truly on the verge of saying goodbye to passwords forever, or are we merely swapping one set of problems for another?

The Convenience Appeal

Passkeys are built on FIDO2 technology, an open standard that provides a more secure and password-free authentication mechanism.1 WebAuthn, in particular, allows web applications to communicate directly with authenticators by using hardware security keys or device biometrics.2 It is a key technology that enables secure authentication directly through the browser, with major browsers like Chrome, Firefox, Safari, and Edge already supporting it. FIDO2 combines WebAuthn, a core component that serves as a web-based API for authenticating users without the need for a password, and CTAP (Client to Authenticator Protocol)3, which allows the use of authenticators such as hardware tokens or built-in device features like biometric sensors. The FIDO Alliance, which drives this standard, includes major players such as Google, Microsoft, and Apple, all of whom have been incorporating FIDO2 into their ecosystems. This technology has been implemented in various contexts, including passwordless logins for Microsoft services, Google’s integration in Android, and Apple’s integration across iOS and macOS devices. FIDO2’s widespread backing has made it a foundational part of the passkey ecosystem, but its implementation still comes with notable limitations, as discussed later.

The appeal of passkeys is not just understandable, it’s compelling. Instead of juggling numerous passwords, you could use biometric authentication or a device-based prompt, simplifying life. Passkeys leverage your devices—phones, laptops—with cryptographic keys stored securely, often using biometrics like fingerprint or facial recognition. This enables a login process that is not just convenient, but also significantly more secure. WebAuthn and FIDO2 are critical to this process, with hardware tokens like YubiKeys being one prominent example of how this technology can be implemented. YubiKeys and other hardware tokens act as physical authenticators that store cryptographic keys securely, providing an additional layer of security without the need for traditional passwords. These tokens are widely adopted in enterprise environments for services like Windows Hello4 and Google account authentication, as they align well with FIDO2 standards. Moreover, operating systems like Windows, macOS, and Android have built-in support for passkeys through their respective ecosystems, enabling seamless integration of biometric features and hardware authenticators.

In theory, passkeys address many vulnerabilities associated with traditional passwords, such as phishing and weak password creation. Phishing attacks, a major cybersecurity issue, would be ineffective against passkeys since no password can be tricked out of you—no long strings of text that hackers can exploit. It sounds flawless, right?

The Not-So-Rosy Reality

Another significant issue is vendor lock-in. Vendor lock-in refers to the situation where a user becomes dependent on a particular product or service and finds it difficult to switch to another without substantial switching costs or inconvenience. Currently, each major tech company has its version of passkey management. Apple’s solution is integrated within the iCloud ecosystem, Google has its Android and Chrome-focused implementation, and Microsoft has its Windows-centric version.5 This fragmentation means users are often nudged—or outright coerced—into staying within a particular ecosystem6. While the integration may seem convenient, it’s primarily designed to keep you locked in a specific ‘walled garden,’ preventing you from easily taking your passkeys with you if you decide to change platforms.7 This lock-in problem also extends to password managers—it’s not easy to transfer passkeys between different services, which adds additional friction for users seeking flexibility 8.

Compatibility issues further complicate matters. Legacy systems present another significant barrier to widespread passkey adoption. Many organizations rely on legacy infrastructure never designed to integrate modern authentication mechanisms like FIDO2 or WebAuthn. Updating these systems can be prohibitively expensive and time-consuming, so passwords will likely remain entrenched in these environments for the foreseeable future9. This adds another layer of complexity for organizations transitioning to passkeys, as they must balance new and old authentication methods, often within the same IT infrastructure.

Many organizations rely on legacy infrastructure never designed to integrate modern authentication mechanisms like FIDO2 or WebAuthn. Updating these systems can be prohibitively expensive and time-consuming, so passwords will likely remain entrenched in these environments for the foreseeable future. This adds another layer of complexity for organizations transitioning to passkeys, as they must balance new and old authentication methods, often within the same IT infrastructure.

Many services and platforms still rely heavily on traditional passwords, and the idea that passkeys will completely replace them is, at best, years away from being realized. Until then, users are in an awkward limbo, managing both traditional passwords and the new passkey system, despite the promise of eliminating the former9.

Security Trade-Offs

The reliance on device-based security introduces another kind of risk.10 Biometric data, often touted as the ultimate security key, is a double-edged sword. While you can change a password, you cannot change your fingerprint or face if it gets compromised.

If a vulnerability in the passkey system exposes biometric information, the permanent nature of that data can pose significant security concerns, even making experienced cybersecurity experts uneasy.

Moreover, passkeys assume the availability of constant internet connectivity and up-to-date devices, which is only the case for some. Users in areas with unreliable internet access or those who cannot afford the latest gadgets might be left behind, creating a digital divide that no one seems eager to address.

While passkeys are often advertised as a universal solution, they predominantly serve users in well-connected, economically advanced regions.

The Reality of Passwordless Authentication

In many cases, passkey authentication is only partially passwordless. Passkeys are often implemented as a second factor, requiring users to enter a password before the passkey can be utilized.

In some scenarios, a Time-Based One-Time Password (TOTP) or other verification forms are still required even after using a passkey. While this may not be a limitation of the FIDO2 standard itself, it highlights the inconsistency in how passkeys are implemented across various platforms and applications. There is a clear need for more robust and consistent standards to guide how passkeys should be integrated into application offerings. Without such standards, the promise of passwordless authentication becomes diluted, with users still dealing with some form of traditional password or multi-step verification process.

While well-intentioned, the tech industry’s push to eliminate passwords seems overstated in terms of its immediacy and overall impact. Will it mature at customers’ sites, or are we, the customers, really the only ones who saw it?

Yes, passkeys solve some significant issues—such as phishing and brute force attacks—but they also introduce new challenges that have yet to be fully addressed. The necessary infrastructure for widespread adoption is not yet in place, and the dependency on specific devices and platforms adds friction rather than reducing it for many users.

Passwords are not disappearing anytime soon. And the one hash will be replaced by another hash. The question is, will the new hash be better than the old one?

In reality, passwords are deeply embedded in how we interact with technology11. While passkeys represent progress, they are far from the ultimate solution to security and usability that some claim them to be.

Passkeys should now be seen as an additional tool in our security toolkit rather than a complete password replacement. The future might be promising, but we are not there yet—especially when considering the challenges with integrating passkeys into legacy systems, which often require long timelines and substantial investments to update. Additionally, implementing modern authentication solutions like passkeys is particularly impossible in operational technology (OT) environments, where systems are expected to run for decades without major overhauls.

Without a standardized backup protocol, the complexity of managing and manually re-registering passkeys across different systems further emphasizes that we are not ready to abandon passwords entirely. 


Footnotes

  1. FIDO2 Alliance

  2. FIDO2 Standard - WebAuthn

  3. Microsoft - All about FIDO2, CTAP2 and WebAuthn

  4. WebAuthn-APIs | Microsoft Learn

  5. Apple, Google and Microsoft Commit to Expanded Support for FIDO Standard to Accelerate Availability of Passwordless Sign-Ins

  6. The Aim to end Passkey vendor lockin

  7. Our Glorious Password-less Future Is Being Destroyed By Greed

  8. Password manager makers want to let you securely transfer passkey

  9. More Secure Authentication 2

  10. FTC Warns About Misuses of Biometric Information and Harm to Consumers

  11. You may never need to remember another password