The Passwordless Revolution Has Arrived
At last, we’re on the cusp of a passwordless era. Replacing passwords with passkeys promises to reduce frustration while making us safer.
However, through my experience working with businesses and end users, I’ve found widespread misunderstandings around passwordless technologies. Many don’t understand what passwordless technology is or how it works, and some mistakenly think that more onerous login processes mean it’s more secure. Here’s an update on where we stand and what we need to take passwordless technology mainstream.
Passwords can be bad for business and leave more room for vulnerabilities.
Passwords may be the default, but they’re not our best option.
Our research shows that 44% of employees say the process of logging in consistently harms their mood and reduces productivity, while 30% also say the process of logging in and out at work diminishes their view of their company’s security policies or tech stack. In turn, that can make them care less about trying to maintain good security practices and even embittering them toward certain apps and services. Additionally, 43% of employees have figured out a workaround or given up on a task at work due to login challenges.
The login process can also hurt sales. According to FICO Alliance, 58% of consumers have abandoned their virtual shopping carts due to login difficulties, amounting to billions in lost revenue.
Of course, passwords can be intercepted, guessed or reverse-engineered by malicious actors. Consider the 2021 Colonial Pipeline breach—hackers’ theft of a single password took down the largest fuel pipeline in the U.S. Phishing attacks, where hackers pose as trusted businesses or individuals to trick people into sharing their passwords or personal information, are huge business. According to the Ponemon Institute, phishing attacks quadrupled between 2015 and 2021, resulting in an average of $14.8 million in annual costs to every U.S. company in 2021.
Passkeys will break open the passwordless dam.
In recent years, we’ve seen the rise of several passwordless technologies that come with trade-offs. Magic links eliminate passwords but require switching apps and waiting for an email—usually via an account that requires (you guessed it) a password. Hardware keys require carrying around a physical device—a more cumbersome experience. Biometrics like FaceID don’t replace passwords but simply mask the underlying password technology, still leaving room for bad password hygiene.
None of these approaches are likely to replace the password, but passkeys can do just that. Not only are they the most secure passwordless option, but they’re also easier to use, they provide a truly human-centric user experience, and they have the support of the major platforms including Apple, Google and Microsoft.
I’ve written about passkeys before—each passkey consists of a public key (shared with the website or app you’re creating an account for) and a private key (that stays secret on your device). Consider the public key like a magic ink pen and the private key like a special light required to read the secret message. Even if someone gets hold of the message, they can’t read it without the special light. Once you unlock your device, you’ll open the door to your account—no password, email link or hardware required.
The best part? With passkeys, it’s impossible to reverse-engineer one key from the other. Unless someone has your device and a way to open it, there’s no way to access your accounts. Hackers can’t phish for a password if there’s no password in the first place.
We need interoperability and mobilized developers.
We have amazing passwordless technology about to take over the world, but how can we deliver on that exciting promise?
First, we need to ensure interoperability. Tech players are naturally inclined to focus on their own ecosystems; seamless integration between Android and Apple isn’t a top priority for either organization. However, most of us live across platforms; I personally use a Mac, a PC, an iPhone, a Roku TV, a Kindle and more. I need to log in easily on all of them.
So far, many solutions don’t easily work across platforms. As connected devices grow exponentially, we must ensure they all provide a consistent, seamless experience. It’s the only way passwordless technology will become broadly adopted.
Fortunately, industry collaboration is well underway. Under the umbrella of the FIDO Alliance (of which 1Password is a member), prominent tech leaders—including Apple, Google and Microsoft—are developing universally recognized standards. That’s essential to make passwordless the first and most secure choice.
The next 18 months will be crucial for building trust and ensuring the successful adoption of passwordless. Major companies like PayPal, eBay, Kayak and Best Buy are already embracing passkeys. The moment Gmail turns passkeys support on, 1.5 billion more people around the world will be adopting passkeys.
We also need to mobilize the developer community to create standardized APIs and trusted plug-ins that make it easy to add passkey technology to any site, app or device. As developers make it easier to embed passkeys, more sites will do so—and more users will try it.
Passwordless is a cybersecurity no-brainer.
Passwords were vital to scale the internet, enabling us to consistently access apps and services while saving useful and personalized information that enriched our experience. However, with the rise of sophisticated attacks with great costs (and, in turn, more onerous requirements on users), it’s time to adapt to the times.
Passwordless is a rare instance where individual and business interests fully align. It’s good for security, revenue and usability, as it improves protection while accelerating access to the apps and services we love. The productivity ramifications are massive—from getting more done at work, to landing concert tickets on the first go, to avoiding abandoned shopping carts. We predict that the e-commerce and retail sectors will be among the first to adopt passkeys, with others following as comfort increases.
In the complex and fragmented cybersecurity realm, creating the passkey as a universal standard is a no-brainer.
