Passwords. We all know they are a nightmare. First because we have too many to remember, and second because resorting to a password manager, like most of us do, comes with its own set of problems as companies’ sites keep layering in more security.
Each login is more frustrating than the previous one: Unlock the password manager with its own password. Click. Copy and paste a unique, unpronounceable string of characters into the sign-in form. Click. Confirm it’s me with a six-digit code sent to my email or phone. Click.
The average person has accumulated close to 100 passwords to access everything from their email inboxes and bank accounts to streaming services. We have become poor, helpless victims of such technology. And to add insult to injury, such arcane and complicated maneuvers are not even a foolproof way to keep our information safe.
Passwords are notoriously easy to crack: Microsoft reports nearly 1,287 password attacks every second, or about 111 million daily. And Cybersecurity Ventures reports that 44 records are stolen from breaches every second. Given the fallibility of a string of letters, numbers, and characters, tech firms have layered a series of defenses on top of passwords since their introduction in the 1960s — from mandating the codes include both numbers and letters to adding a second authentication step, such as security questions. These added complexities have done little to ward off break-ins. Last year alone, over 24 billion login credentials were exposed, an increase of 65% compared with 2020.
Given the torture of the password situation, we should be ecstatic to learn that soon they may be just a bad memory.
To solve the password problem, a coalition of some of the most influential tech firms, including Apple, Amazon, Google, and Microsoft, created the FIDO Alliance, which has spent the past decade working on a login system that would kill the archaic password once and for all.
FIDO Alliance’s solution, referred to as “passkeys,” shifts the burden of security from the user to technology. With passkeys, you don’t have to worry about saving unique passcodes for each website, nor do you have to navigate a maze of security steps to log in. In FIDO’s passwordless world, you are the password. All you have to do to log in anywhere is scan your face or fingerprint.
“You literally cannot steal a password if the password doesn’t exist,” Steve Won, the chief product officer of 1Password, a premium password manager and a member of the FIDO Alliance, told me.
If successful, passkeys can put to rest some of the most pressing online security concerns. Following FIDO’s latest update, several major companies in the past year have rolled out support for passkeys to their devices and websites. Platform owners from Apple to Mastercard are on board, so there’s a real chance they can take hold.
To use the new passwordless login, you first need to set up a passkey on your laptop, phone, tablet, or other device. You don’t need to install an extra app — Apple, Microsoft, and Google now offer passkey systems by default.
To create a passwordless login for one of your accounts, such as for Best Buy or Google, you visit their passkey sign-up page. The website or app scans your face or fingerprint. If your device doesn’t have a biometric scanner, it asks you to enter the device’s lockscreen PIN or password. (This step is a temporary solution for devices that aren’t able to scan your face or fingerprint to verify you — but the goal is to remove the PIN requirement.) Once the site has verified your identity, it generates a unique pair of virtual keys. One of them remains on the website’s server. The other is private and stays on my device.
The next time you log in to that account, all you have to do is tap a little key icon in the login form. The site then verifies your identity with Face ID, and in seconds, you’re in. Though it sounds complex, it all takes place in the background and happens instantly — you don’t have to remember or manage a thing. It’s as simple as unlocking an iPhone.