It’s been a couple of years since Apple, Google, and Microsoft started trying to kill the password, and its demise seems more likely than ever.
In 2022, all three companies embraced an alternative called passkeys, which sync securely between your devices and are protected by face recognition, a fingerprint, or a PIN. The thinking goes that if you don’t have to remember a password—or even create one in a password manager—you’re less likely to fall prey to phishing scams. And if websites don’t have to store their customers’ passwords anymore, security breaches won’t be as disastrous.
Despite a lot of early hype around passkeys, the initial rollout has been messy. Apps and websites all have different ideas about how to introduce the concept of not needing a password anymore, and storing passkeys with third-party password managers such as Bitwarden and 1Password can be a convoluted process. Worst of all, there’s no way to transfer all your passkeys to another platform or password manager, turning them into yet another form ecosystem lock-in.
All of that is finally changing. The FIDO Alliance, the industry group spearheading the passkey push, is putting out some much-needed guidelines to make passkeys usage feel more consistent from one site to the next, and the big tech platforms are getting better at letting you store passkeys in your preferred password manager. Work is also underway on a protocol to let people securely switch between password managers and take all their passkeys with them.
All this is contributing to an air of inevitability for passkeys, especially as major e-commerce players such as Amazon and Shopify get on board. Even if you’re not fully attuned to the passkey movement, you’ll soon have to go out of your way to avoid it.
“Within the next three to five years, virtually every major service will offer consumers a passwordless option,” says Andrew Shikiar, the FIDO Alliance’s CEO and executive director.
Boosting adoption
One of the biggest challenges for passkeys is inertia. People aren’t used to the idea of signing in without a password, and having to set up a passkey can be confusing or annoying, especially when it gets in the way of using the site you just logged into.
There’s no easy answer to this problem, but the FIDO Alliance has set up a a Passkey Central website to walk companies through the potential solutions. It lays out different strategies for getting users to adopt passkeys, and it encourages the entire industry adopt similar visual cues and messaging.
“I think this guidance that we’re giving—this step-by-step support, helping people along those journeys—will be another way of addressing these pain points,” Shikiar says.
We’re also starting to see some sites get more aggressive about pushing passkey adoption. If you’ve signed into Amazon lately, for instance, you might’ve seen an on-screen prompt to set up a passkey with the click of a button. A forthcoming update to the WebAuthn specification, called “conditional create,” will make this process part of an industry standard for websites to adopt.
“We can start supporting those flows to make the adoption of passkeys by users a bit more of a passive, low-friction process,” says Nick Steele 1Password’s staff product manager. “Because that’s the hardest part today, is getting users to take that first step.”
Embracing password mangers
When passkeys first launched a couple of years ago, third-party password managers seemed like an afterthought.
If you set up a passkey on an iPhone, for instance, it would automatically be stored in Apple’s iCloud Keychain, even if you preferred to use third-party option such as Bitwarden or 1Password. When those password managers eventually added passkey support, they had to rely on hacky workarounds to store them.
Thankfully, that’s changing too. Apple now supports saving and accessing passkeys in third-party password managers, and Microsoft says it will soon let Windows users choose a default third-party passkey manager. Google, meanwhile, is updating Chrome for Android so its autofill feature uses whatever password manager you set as the default at the system level.
While involved with passkeys say the major tech platforms were never trying to use passkeys as a tool for lock-in, it is easier for them to store those passkeys on their own. It’s taken time for figure out how to accommodate third-party password managers as well, Steele says he worked closely with companies like Microsoft to make that happen.
“We’re all on the same team here, right? And the team is ‘get rid of the password,’” he says.
Take them with you
Even as it gets easier to store passkeys in your preferred password manager, there’s still no way to transfer them in bulk. If you’re a longtime 1Password user who wants to switch to Apple’s Passwords app, for instance, the passkeys you’ve created in 1Password are stuck there.
Now, the FIDO Alliance is proposing a solution with the Credential Exchange Format and Credential Exchange Protocol. The former provides a universally-recognized data format for logins, while the latter specifies how password managers can transfer that data among themselves.
CXF and CXP aren’t just for passkeys. They also cover traditional passwords, providing a secure way to switch to a new password manager. Today, your only option is to export a .CSV spreadsheet of all your logins, then upload it elsewhere, and in the meantime anyone with access to that spreadsheet can see all your logins in plain text. CXF and CXP are still in the working draft stage, but the goal is for them to provide a more secure way to switch.
“I think it’s really cool that we’re doing this,” FIDO’s Andrew Shikiar says. “We want to be secure, we want to interoperate, we want to be competitive, and we’ve seen that bear out.”
Gaining traction
Shikiar says he’s happy with the progress passkeys have made over the past two years. He points to a recent survey the FIDO Alliance conducted, showing that 40% of consumers has some awareness of passkeys. He also pointed to a recent Amazon announcement that 175 million of its customers have enabled passkeys on their accounts.
The next big goal will be to bring financial service providers on board. The earliest passkey support tend to be e-commerce and hospitality services whose main goal is ease-of-access, he says, the greater proof point will be adoption from companies see the security benefits of passkeys as well.
Once that happens, he expects the password to feel increasingly obsolete. “To be clear, there will be scenarios where we’re still using passwords in five years,” he says, “but less and less.”