- How CISOs Can Master Operational Control Assurance — And Why It Matters
- Adobe Firefly now generates AI images with OpenAI, Google, and Flux models - how to access them
- Your TV's USB port is seriously underutilized: 5 handy features you're overlooking
- How to prevent your streaming device from tracking your viewing habits (and why it makes a difference)
- TCS launches SovereignSecure Cloud aligned with India’s data localization needs
Why the road from passwords to passkeys is long, bumpy, and worth it – probably
Out of the blue, I received a text from my father asking me, “What’s the difference between a password and a passkey?”
Somewhere, in his daily online journey, he was prompted by a website or application — a “relying party” in authentication lingo — to create a passkey. But the benefit wasn’t clear to him. Nor did there seem to be any urgency. He figured I’d know what passkeys are and what to do the next time he gets a nudge to set one up. I told him, “Let’s talk before you do anything.”
Also: Biometrics vs. passcodes: What lawyers say if you’re worried about warrantless phone searches
Prompts like the one my father saw will become increasingly commonplace in our daily digital lives. In fact, you are part of the tech industry’s master plan for passkeys to eliminate passwords.
I’m a proponent of that plan, but I’m not as optimistic as others are about its timing.
Barriers to adoption
While the current plan rests on a solid technical foundation, many important details are barriers to short-term adoption. For example, setting up a passkey for a particular website should be a rather seamless process (and sometimes is); however, fully deactivating that passkey still relies on a manual multistep process that has yet to be automated.
Also: The best password managers: Expert tested
Further complicating matters, some current user-facing implementations of passkeys are so different from one another that they’re likely to confuse end-users looking for a common, recognizable, and easily repeated user experience (similar to user ID and password dialogs).
As long as these and other barriers exist, you’ve got plenty of time to think more holistically about your strategy for transitioning to passkeys and, thankfully, time for strategy do-overs. You might need them.
Since 2021, when Apple first revealed an example of the passkey standard that it developed along with other titans such as Google and Microsoft under the guise of the FIDO Alliance, there have been many articles written here on ZDNET and elsewhere about the benefits and adoption of passkeys — for consumers and enterprises. In a nutshell, the main idea behind passkeys is to get rid of passwords. For various reasons — including our chronic forgetfulness and ignorance of best practices (e.g., never re-use the same password across multiple websites!) — passwords are a scourge and their elimination could finally spell the end to phishing and smashing.
Also: How to set up remote desktop access on your Linux computers
Passkey aficionados sometimes refer to passkey-based logins as “passwordless authentication.” If there are no passwords to give to relying parties, then there are no passwords to give to malicious actors either. But just because a handful of websites and apps support passkeys doesn’t mean they’re deactivating passwords any time soon. As long as user IDs and passwords are an allowable form of authentication, hackers will successfully phish and smish for them.
Passkey sorcery
Regardless of whether your login credentials include a password or a passkey, the process always involves a secret. After 30 years of passwords getting hacked, bank accounts getting emptied, identities being stolen, and a wide range of other terrible outcomes, the tech industry came to the obvious realization that we suck at protecting passwords.
Also: Why multi-factor authentication is absolutely essential in 2025
Even after applying Band-Aids — one-time codes sent via text message, authenticator apps, and other additional so-called factors of authentication — passwords have still proven fallible. In some cases, malicious actors still hacked their way in. In other cases, legitimate users locked themselves out. As the saying goes, you can’t put lipstick on a pig.
Passkey proponents talk about how passkeys will be the death of the password. However, the truth is that the password died long ago — just in a different way. We’ve all used passwords without considering what is happening behind the scenes. A password is a special kind of secret — a shared or symmetric secret.
For most online services and applications, setting a password requires us to first share that password with the relying party, the website or app operator. While history has proven how shared secrets can work well in very secure and often temporary contexts (e.g., tunneled transmission of encrypted data), if the HaveIBeenPawned.com website teaches us anything, it’s that site and app authentication isn’t one of those contexts. Passwords are too easily compromised.
Also: Clicked on a phishing link? 7 steps to take immediately to protect your accounts
In contrast, a passkey involves a secret that never gets shared. That secret — the private key part of a public/private key pair — always stays with the end user and is never offered to the relying party. It’s not offered when the end user establishes or resets their credentials with a relying party or when it’s time to login. If you know anything about cybersecurity and suspect that public key cryptography is involved, you have good instincts. The technical component of the passkey user journey is just a standard public key cryptographic workflow.
To non-technical people like my dad, however, the idea that you can log in to a site or app without being asked for your secret password sounds like sorcery. And if you’ve already experienced the automagical nature of passkeys — when they work as expected (which is not always) – it does feel like sorcery. My father was incredulous when I explained it to him. Maybe you are, too?
Noticeably missing from the passkey user experience is anything that visibly feels like an exchange is in progress. It’s unnervingly fast and thought-free. Meanwhile, the idea that we need secret passwords to protect virtually everything (even our houses) is so deeply embedded into our consciousness that to suggest an alternative — especially something “passwordless” — is practically sacrilege.
Also: 8 simple ways to teach your friends and family about cybersecurity – before it’s too late
Derek Hanson, Yubico vice president of standards and alliances, concurs. Yubico makes a variety of fingertip-sized USB and wireless (NFC) devices to which users can save their passkeys for different sites and apps. Hanson is also deeply involved with multiple working groups at the FIDO Alliance, including the organization’s user experience and marketing communications groups.
Dubious end users
“The world does have a password problem. No one seems to disagree on that point. We have spent the last 30 or 40 years ingraining into people how passwords work online. And yes, the relying parties have done a lot to improve the experience,” Hanson told ZDNET. “But we’ve become so accustomed to all of the hurdles and headaches with passwords that we’ve experienced over those years that we’ve just been beaten down as users, that that’s the way the internet works.”
Hanson is concerned that the passkey standard has reached a precarious moment in its short history; a critical mass of users have been exposed to the passwordless technology — and even sampled it — but lack the confidence to leave their user IDs and passwords behind.
Also: The best security keys: Expert tested
“We’re at a tipping point right now,” said Hanson, noting that users are balancing the external risks of hackers taking over their accounts if they stay with their passwords versus a nagging suspicion that switching to the new technology could result in account lockouts.
His concerns are justified.
Based on my own extensive tests of passkeys (the results will be chronicled here on ZDNET) and other sobering reports, the technology’s underpinnings are solid. Still, the wildly different user experiences built on top of them cannot possibly inspire user confidence. A recent Microsoft post implicitly suggests that the security benefits of passkeys alone will not inspire user adoption. UX designers must agonize over “every pixel” of the user experience.
“[In its current state], I don’t think it’s ready for certain people with certain computer skill sets. I don’t think it’s quite mature enough because of all the rough edges,” said Hanson. “That said, there is a concentrated effort to push on the platforms and relying parties.”
Integration and cooperation
In referring to “platforms and relying parties,” Hanson brings up a contributing factor to some of the passkey’s most visible rough edges: the full end-to-end passkey user experience isn’t necessarily within the control of a single entity. Minimally, that experience involves the integration of three separate components:
- The relying party (e.g., the website or app to which the user is authenticating).
- The operating system (the aforementioned “platform”) that’s running on the user’s device.
- The credential management solution that, among other things, stores the user’s passkeys.
Also: 7 password rules security experts live by in 2025 – the last one might surprise you
When a single entity like Microsoft has jurisdiction over all three components — as might be the case when a user is logging into Microsoft 365 (the relying party) from a Windows-based PC (the platform, which happens to have a built-in credential manager) — that entity also has full control over the end-to-end passkey journey and the degree to which the three components are frictionlessly integrated.
But when the user logs into a Gmail account from their MacBook Pro that, at the user’s option, uses Bitwarden for credential management, there are essentially three independent hands in the cookie jar. Google’s Gmail is the relying party, Apple’s MacOS is the platform, and Bitwarden is the credential manager. None of these three has full control over the end-to-end experience, and all three might have competing interests.
In this scenario and others like it, the odds of a confidence-inspiring end-user outcome are greatly diminished. If the rough edges are going to get worked out, much more cooperation between the different players will be necessary.
Also: Data-stealing cyberattacks are surging – 7 ways to protect yourself and your business
As imperfect as the current situation is, the optimist in me is looking forward to a future when I’m logging into all my sites and apps with passkeys. I’m certain it will be worth the wait. But I’m an outlier. I’m more willing to put up with rough edges than most. End-users have an important stake in the outcome. More pressure needs to be applied to the industry on their behalf.
As Hanson told me, “It’s about raising all the boats quickly because we want to ensure that the technology isn’t creating a reputational issue in the market. Consumers will hopefully accept it. But if they reject it, it may be very hard to come back and get a second chance.”
Stay ahead of security news with Tech Today, delivered to your inbox every morning.
