Passwords are dying a quiet death

Thanks to passkeys, you may never have to type a password again [View this email in your browser]( A future without passwords is in sight Apple thinks 249 of my passwords need attention. Some of them have been reused. Some of them have been caught up in data breaches. Some are just bad passwords. That’s why, for the past 11 years, a group called the FIDO Alliance has been working to kill passwords — or at least make us less reliant on them. FIDO, short for Fast IDentity Online, wants to make signing into your accounts not only more secure but also, as the name implies, faster and easier. Since its members include Amazon, Apple, Google, Meta, and other architects of our online experience, the FIDO Alliance is in a position to accomplish this, too. Whether you’ve realized it or not, FIDO’s efforts have already transformed the way you sign into everything online. For instance, you may have noticed a few years ago that more sites started requiring [something called multifactor authentication](, which adds an extra step to the login process, like texting a code to your phone so the site can verify you're you. That was FIDO’s doing. But after years of making logging in more difficult but more secure, the alliance [recently began a major push]( to get platforms and people alike to adopt a technology that may just kill passwords altogether: passkeys. Passkeys are a new kind of credential that you can use to sign into web accounts without the use of a password. This new authentication standard is making passwords irrelevant by introducing a new, simpler, but more secure workflow. There’s [a logo and everything](. You can think of passkeys as two encrypted files — one on your end and one on the website’s end — that open up access to your account when one matches the other, much like a key and lock. Passkeys can’t be copied or spoofed, and they can’t be phished. Once you’ve set up a passkey for a website, you can sign in the same way you unlock your phone: with your face, your fingerprint, or a PIN. The process is so quick and familiar, you may already be using passkeys on sites like Google and Amazon. Pretty soon, passkeys could be all you use. May your passwords rest in peace. The password problem, briefly explained It wasn’t always like this. In the early days of computing, when computers took up entire rooms and required several people to operate them, there wasn’t a need for passwords. But once people started sharing those systems, passwords became key to computing in private. In the early 1960s, MIT researchers built a giant computer called the Compatible Time-Sharing System, a pioneering machine that led to the development of things like email and file sharing. It allowed multiple people to work on their own projects at once, so Fernando Corbató, the head of the project, came up with a way for people to keep private files on the system. He made it possible for researchers to set up accounts and access them with unique strings of characters — and thus the password was born. “Unfortunately it's become kind of a nightmare,” Corbató [told the Wall Street Journal]( in 2014. It turns out, passwords aren’t very private at all. The MIT researchers quickly figured out ways to steal their colleagues’ passwords [and play pranks on them](. Fast-forward a few decades, and people are using hundreds of passwords to protect their hundreds of online accounts — or sometimes, it’s the same password for everything. It’s absolutely a nightmare. Passwords are easy to forget and can be difficult to reset. If a hacker steals that one password you use because it’s a hassle to keep track of a bunch, they can [log into all your accounts, steal your money, and generally wreak havoc](. Hackers can also just steal passwords, [sometimes millions of them at once](, to steal people’s identities. Phishing attacks — when a bad actor tricks someone into giving up their login credentials — are a particularly insidious way to gain access to large amounts of sensitive data. These data breaches are actually what led to the creation of FIDO in 2013, when a consortium of tech companies, banks, and governments banded together to come up with a better way to secure accounts. The effort started out with adding layers of security on top of the basic password. Multifactor authentication became mainstream about a decade ago. This improved security, but it was also a real pain. You’ve since seen even more complicated login routines. Requirements for passwords have [gotten more complex]( (think: a dozen characters, upper- and lowercase, special characters, the works). Even once you’ve entered a paralyzingly long and complex password, you might get a push notification on another device to verify that you’re you on your laptop. You might get a magic link sent to your email. There could even be a QR code involved. All of these methods are also vulnerable to phishing attempts. “To solve the problem, you need to really get to the root of the problem,” FIDO CEO Andrew Shikiar told me. “By addressing the password problem, you’re really addressing the data breach problem.” The passkey solution Passkeys promise to fix many of the problems passwords created. Thanks to FIDO and W3C, the consortium that manages the standards for the World Wide Web, there is now an agreed-upon workflow for passkeys to replace passwords entirely. From the user’s point of view, the passkey process is pretty easy. You just log in the old-fashioned way, with a password or a code or whatever, and then the website or platform will ask you if you want to set up a passkey. If you do, it will generate those two files — the lock and key, if you will — that make up the passkey. It will also prompt you to unlock your phone with your face, fingerprint, PIN, or swipe pattern, depending on your preferences. The passkey will then be associated with that device and stored in the cloud or in your password manager. The next time you go to log in, that site will go to see if you’ve got the key to fit its lock. If so, unlock your device, and you’re right back in. It takes maybe two seconds. Creating a passkey will not necessarily do away with your password for good. Many sites are keeping the password around as a backup, if you somehow lose track of your passkey. Plus, we’ve been using passwords for so long, it would be weird if they suddenly disappeared. “People don’t want to feel like they we’re losing their password,” Shikiar said. “That's a scary thought.” Not for me. I personally couldn’t wait to switch from passwords to passkeys, once I learned about the wider rollout. So over the past week, I’ve set up as many passkeys as I can. But I did not set up 249 new passkeys to deal with all those problematic passwords. My passkey count is closer to 12. The setup process is slightly different for each site, but once the passkey is in place, logging in is essentially a one-touch or one-glance process. Most of the time, I don’t even see a place to enter my password. The site just scans my fingerprint or my face, and I’m in. The main challenge, for now, is that not too many companies are using passkeys, which explains FIDO’s recent push to get more companies signed up. You can set up passkeys for your Google and Amazon accounts, for instance, but not for Facebook and Instagram. WhatsApp, however, does use passkeys. It’s all a bit confusing for now. ([Here’s a full list]( of major websites that support passkeys.) The other issue here is that, while people can remember passwords in their heads, passkeys really need passkey managers. Because most new devices come with password managers built-in, this is actually not that big of a deal: Password managers are also passkey managers. Google and Apple started making the transition to passkeys a couple years ago. If you’re using an [Android]( or [iPhone](, you can use the built-in password managers on those devices to save all of your passkeys. [Google Chrome]( also has a passkey manager, as does [Microsoft Windows](. Password managers, like [1Password]( and [Bitwarden](, can also handle passkeys now. If you want to switch from an iPhone to an Android device or switch password managers, you’ll have trouble migrating all of those passkeys, but FIDO [is working on a solution](. Passkeys were designed to kill passwords, but it will be a slow death. Even though passwords are sticking around for now, they’ll gradually be rendered useless as more sites and platforms rely on passkeys instead. In a sense, passwords will become internet zombies, lurking and probably occasionally causing trouble. “The password will never fully die,” said Jacob Hoffman-Andrews, a senior staff technologist at the Electronic Frontier Foundation. “There will always be devices and corners of the internet where passwords hold on.” —[Adam Clark Estes](, senior technology correspondent Getty Images [Elon Musk says he’s giving away $1 million a day to voters. Is that legal?]( Musk’s “lottery” is only available in swing states and seems meant to appeal to potential Trump voters.   [AI-generated image of cafe window]( Canva AI [There’s something off about this year’s “fall vibes”]( Autumn is being eaten by a deluge of AI slop.   [Why is everyone wearing the Oura Ring?]( The wearable device looks great but, unfortunately, it won’t solve all of your health problems.     Getty Images [How progress creates its own obstacles]( The world really is getting better. So why don’t people believe it?   Getty Images [The shady origins of the climate haven myth]( How the media, city mayors, and the real estate industry filled us with false hope.   [Become a Vox Member]( [Support our journalism — become a Vox Member and you’ll get exclusive access to the newsroom with members-only perks including newsletters, bonus podcasts and videos, and more.]( [Join our community](   [Listen To This] [Listen to This]( [Are psychedelics breaking science?]( Drugs like ecstasy and mushrooms have shown promise as mental health treatments, but they’re also exposing some major cracks in how scientists study the brain. [Listen to Apple Podcasts](   [This is cool] [Rome's 2,000-year-old concrete has some green secrets](   [Facebook]( [Twitter]( [YouTube]( This email was sent to {EMAIL}. Manage your [email preferences]( or [unsubscribe](param=tech)  to stop receiving emails from Vox Media. View our [Privacy Notice]( and our [Terms of Service](. If you value Vox’s unique explanatory journalism, [become a member](. Vox Media, 1201 Connecticut Ave. NW, Washington, DC 20036. Copyright © 2024. All rights reserved.