James Carter
Editor-in-Chief
The death of the password has been predicted for at least two decades. First it was biometrics, then hardware tokens, then SMS codes, then authenticator apps. Each wave improved security for those who adopted it, but passwords stubbornly persisted — because they worked, more or less, for most people most of the time.
The passkey is different for one simple reason: it is built into the operating system and browser at the platform level, by Apple, Google, and Microsoft simultaneously. This is the first time the three dominant platform vendors have agreed on a replacement for passwords and shipped it to billions of devices at once.
A passkey is a cryptographic key pair. The private key never leaves your device. The public key is registered with the service. Authentication happens via biometric — your fingerprint or face — which unlocks the private key locally. Nothing about your biometric is ever transmitted anywhere.
The technical foundation is solid. The remaining challenge is adoption on the service side. Every website and application needs to implement passkey support before users can fully abandon passwords. Progress is happening — but it is uneven. Banking and high-security services are moving quickly. Long-tail consumer apps are lagging.
Be the first to start the discussion