If we want a passwordless future, let's get our passkey story straight
Passwords and passkeys each involve a secret. The critical difference: How that secret gets handled. In a recent article from a well-known tech publisher that extolled the virtues of Bitwarden's password manager, the author wrote the following (by the time you read this, the passage may have been corrected):
"Passkeys are an attempt to replace the password with a key that you don't have to remember or worry about at all. When you create a passkey for a website, the site spits out two pieces of code, one it saves on the server, one it saves on your device. When you return to the site, the site checks for the code it saved to your device and if it's there, it logs you in."
The passage includes multiple incorrect statements that work against the efforts of the FIDO Alliance to educate the public on why passkeys are more secure than passwords for authenticating with websites or applications. (The FIDO Alliance is a consortium of high-tech leaders -- including Microsoft, Google, and Apple -- that develops and promotes the passkey technology standard.)
The passage gets one thing right: "Passkeys are an attempt to replace the password with a key that you don't have to remember or worry about." That's definitely one of the aspirations of the passkey standard.
Also: Why the road from passwords to passkeys is long, bumpy, and worth it - probably
"That's the vision. The end result should be completely effortless," said Mitchell Galavan, Google lead authentication UX designer, during a recent interview with ZDNET. "[You shouldn't] even have to think about it," added Galavan, who also serves as co-chair of the FIDO Alliance U/X Working Group. "The experience should be seamless. You wouldn't even have to know that the passkeys are showing up on your device if you don't want to -- you're just getting to where you want to go."
When passkeys work, which is not always the case, they can offer a nearly automagical experience compared to the typical user ID and password workflow. Some passkey proponents like to say that passkeys will be the death of passwords. More realistically, however, at least for the next decade, they'll mean the death of some passwords -- perhaps many passwords. We'll see. Even so, the idea of killing passwords is a very worthy objective.
