Why the Password Isn't Dead Quite Yet

Everyone hates the old ways of authentication. But while change is closer than ever, it comes with its own drawbacks. 
A grid of eyes and asterisks.
The technology is in place. But the passwordless future isn't fairly distributed or easily embraced.Illustration: Elena Lacey

There are certain sci-fi promises the future is supposed to hold: jetpacks, flying cars, a Mars colony. But there are also some seemingly more attainable goals that somehow also always feel just on the horizon. And one of the most tantalizing is the end of passwords. The good news is that the infrastructure—across all the major operating systems and browsers—is largely in place to support passwordless login. The less good news? You're still plugging passwords into multiple sites and services every day, and will be for a while.

There's no doubt that passwords are an absolute security nightmare. Creating and managing them is annoying, so people often reuse them or choose easily guessable logins—or both. Hackers are more than happy to take advantage. By contrast, passwordless logins authenticate with attributes that are innate and harder to steal, like biometrics. No one's going to guess your thumbprint. 

You likely already use some version of this when you unlock your phone, say, with a scan of your face or your finger rather than a passcode. Those mechanisms work locally on your phone and don't require that companies store a big trove of user passwords—or your sensitive biometric details—on a server to check logins. You can also now use standalone physical tokens in certain cases to log in wirelessly and without a password. The idea is that eventually, you'll be able to do that for pretty much everything.

“All the building blocks have reached a level of maturity where they can cross from early adopter technophiles to the mainstream,” says Mark Risher, Google's senior director of product management for identity and security platforms. “They have strong platform support, they work across all the different major providers, and they're becoming familiar to users. Before we as an industry didn't even know how to get rid of passwords. Now it'll take some time, but we know how we're doing it.”

At the end of June, Microsoft's Windows 11 announcement included deeper integration of passwordless sign-ins, particularly for logging into devices, using biometrics or a PIN. Similarly, Apple announced a few weeks earlier that its new iOS 15 and macOS Monterey operating systems will start to incorporate a new option called “Passkeys in iCloud Keychain,” a step toward using biometrics or device PINs to log into more services. And in May, Google discussed its efforts to promote secure password management at the same time that it works to move customers away from passwords.

Despite these and other industry efforts to get both developers and users on board with a passwordless world, though, two main challenges remain. One is that while passwords are universally despised, they're also deeply familiar and absurdly ubiquitous. It's not easy to break habits developed over decades. 

“It's a learned behavior—the first thing you do is set up a password,” says Andrew Shikiar, executive director of the FIDO Alliance, a longtime industry association that specifically works on secure authentication. “So then the problem is we have a dependance on a really poor foundation. What we need to do is to break that dependance.”

It's been a painful detox. A FIDO task force has been studying user experience over the last year to make recommendations not just about passwordless technology itself, but about how to present it to regular people and provide them with a better understanding of the security benefits. FIDO says that the organizations implementing its passwordless standards are having trouble getting users to actually adopt the feature, so the alliance has released user experience guidelines that it thinks will help with framing and presentation. “‘If you build it they will come’ isn’t always sufficient,” Shikiar wrote last month. 

The second hurdle is even trickier. Even with all of those pieces in place, many passwordless schemes only work on newer devices, and necessitate the ownership of smartphone along with at least one other device. In practice, that's a fairly narrow use case. Many people around the world share devices and can't upgrade them frequently, or use feature phones if anything.

And while passwordless implementations are increasingly standardized, account recovery options are not. When security questions or a PIN serve as backup options, you're essentially still using passwords, just in a different format. So passwordless schemes are moving toward systems where one device you've previously authenticated can anoint a new one as trustworthy.

“Let's say you leave your phone in a taxi, but you still have your laptop at home,” Google's Risher says. “You get a new phone and use the laptop to bless the phone and can kind of build yourself back up. And then when somebody finds your lost phone, it's still protected by the local device lock. We don't want to just shift the password problem onto account recovery.”

It's certainly easier than keeping track of backup recovery codes on a slip of paper, but again raises the issue of creating options for people who don't or can't maintain multiple personal devices.

As passwordless adoption proliferates, these practical questions about the transition remain. The password manager 1Password, which naturally has a business interest in the continued reign of passwords, says it is happy to embrace passwordless authentication everywhere that it makes sense. On Apple's iOS and macOS, for example, you can unlock your 1Password vault with TouchID or FaceID instead of typing in your master password.

There are some nuanced distinctions, though, between the master password that locks a password manager and the passwords stored inside of it. The trove of passwords in the vault are all used to authenticate to servers that also store a copy of the password. The master password that locks your vault is your secret alone; 1Password itself never knows it.

This distinction makes passwordless login, at least in its current form, a better fit for some scenarios than others, says 1Password chief product manager Akshay Bhargava. He notes, too, that some longstanding concerns about password alternatives remain. For example, biometrics are ideal for authentication in many ways, because they literally convey your unique physical presence. But using biometrics widely opens up the question of what happens if data about, say, your fingerprints or face is stolen and can be manipulated by attackers to impersonate you. And while you can change your password on a whim—their single best quality as authenticators—your face, finger, voice, or heartbeat are immutable. 

It will take time and more experimentation to create a passwordless ecosystem that can replace all the functionality of passwords, especially one that doesn't leave behind the billions of people who don't own a smartphone or multiple devices. It's harder to share accounts with trusted people in a passwordless world, and tying everything to one device like your phone creates even more incentive for hackers to compromise that device.

Until  passwords are totally gone, you should still follow the advice WIRED has pushed for years about using strong, unique passwords, a password manager (there are lots of good options), and two-factor authentication wherever you can. But as you see opportunities to go passwordless on some of your most sensitive accounts, like when setting up Windows 11, give it a shot. You may feel a weight lifting that you didn't even know was there.

More Great WIRED Stories