The password was always a stopgap. In the early 1960s, engineers at the Massachusetts Institute of Technology needed a way for several people to share a single mainframe while keeping their files separate, so each user was assigned a string to identify themselves at the terminal. That was the moment passwords entered computing. Back then, computers were rare and the trick was clever enough. Nobody imagined that half a century later every ordinary person would be juggling dozens of them, each one demanding upper case, lower case, digits and symbols, with a forced reset every ninety days.
People dislike passwords not because they are complicated but because they are contradictory. Security wants them long, random and unique. Memory wants them short, smooth and meaningful. Two opposite demands have been crammed into the same input box. The friction is amplified by the fact that every system has its own private rulebook. A bank insists on at least twelve characters with a special symbol. A corporate intranet forbids certain symbols. An older system caps you at eight characters and refuses to accept a space. Some sites force a change every ninety days and reject any password that matches the last ten you used. Coming up with a single new combination that satisfies one site’s quirks is already a small mental task.
Using one password everywhere is, in practice, impossible. The rules across systems are mutually incompatible, so even the laziest user is forced to vary. And even if uniformity were allowed, reuse would be a poor idea, because a single breach gives attackers a string they can spray against every other account a person owns. One leak can cascade through a dozen services. Yet remembering several dozen unique strings, each tailored to its own peculiar rules, is beyond most people. So forgetting passwords becomes routine, with users endlessly clicking reset links, waiting for verification emails, and scribbling new attempts onto sticky notes. There is a permanent gap between the limits of human memory and the demands of modern authentication, and the password model sits squarely on top of that gap.
Password managers emerged to bridge it. They generate, store and autofill credentials, which appears to solve the problem. But the convenience hides a different risk: every egg sits in one basket. Cloud-synced products like LastPass and 1Password trade local storage for cross-device access, which means the entire encrypted vault lives on a vendor’s servers. Local-only tools such as KeePass spread the risk but burden users with manual syncing, which is why they have never reached mainstream adoption. The LastPass breach in late 2022 became the cautionary case for the cloud-vault model. Once the master password or vault is compromised, everything inside is exposed at once. Concentrating trust in a single point is not safer; it is a bigger bet placed in a single location.
Passphrases were the next idea. Replace the random gibberish with a string of memorable words, four or five English terms strung together, theoretically longer and harder to crack while easier to remember. Passphrases never quite caught on, and the reason was systemic rather than human. Many websites still cap the password field at fifteen characters and disallow spaces. The deeper issue is that a passphrase, however clever, is still a shared secret. The user knows it; the server knows it. Once that string has left the user’s head and been transmitted, stored or cached, it can be stolen.
Social login took a different route. Authentication is delegated to Google, Facebook or Apple, and the user clicks a single button to be on their way. The convenience is real, but the price is that personal identity and behavioural data are handed to the platform with each click. Every login adds another data point about where the user is, what they use and what they do. It is a bargain trading privacy for ease, and most users do not fully grasp what they are giving up.
Social login also carries a less visible nuisance. Many people sign up casually with Google, forget about it some months later, then return and create another account with Facebook. The result is two unlinked profiles inside the same service, with purchase history, subscriptions and points fragmented between them. The site’s engineers must then decide whether to merge the accounts, link them or keep them separate. Each option has side effects, and the logic written to handle these cases often becomes more complex than the authentication itself. The smooth surface of social login is supported by a tangled web of identity reconciliation underneath.
Through all of these iterations, the underlying problem went untouched. The shared secret model itself is the source of the trouble. As long as user and server must both hold the same string, that string can be phished, intercepted or leaked. To fix the problem properly, the model has to change.
That is exactly what passkeys do. They are built on asymmetric cryptography. When a user registers, the device generates a key pair: the private key stays inside the device’s secure chip and never leaves; the public key is handed to the server. To log in, the server issues a challenge, the device signs it with the private key, and the server verifies the signature using the public key. No secret travels across the network at any point. A phishing site that mimics the real one perfectly cannot extract anything usable, because the passkey is bound to the original domain and refuses to operate on any other.
The historical drawback of passkeys was that the private key existed only on a single device, which meant switching phones required re-registering every account from scratch. That barrier has now been cleared. Apple’s iCloud Keychain, Google’s Chrome Password Manager and Microsoft’s Authenticator combined with a Microsoft account can each sync passkeys to a user’s other devices. For those who distrust the cloud, hardware security keys such as YubiKey keep the credential locked inside a physical chip that the user carries with them.
On the surface this looks identical to a password manager: both move login credentials between devices. But what they protect is fundamentally different in nature. A password manager syncs the password itself, which is a secret held by both user and server, and so a breach of the vault hands the attacker a working key to every account inside. A passkey synchronisation moves the private key, but the corresponding server has never held any secret in the first place; even if the website is breached, only the public key leaks, and that is worthless to the attacker.
What if Apple’s or Google’s sync service itself were compromised? The protection here lies in end-to-end encryption. Before the private key leaves the device, it is encrypted with a key known only to the user’s own devices, and the cloud sees nothing but ciphertext that even Apple or Google cannot unlock. If the entire sync system were breached, what leaks is an unreadable encrypted bundle. To actually use a passkey, an attacker would need to compromise the user’s Apple ID or Google account itself, which means stealing the password, defeating two-factor authentication, and then convincing the platform to trust an entirely new device, with each step triggering an explicit alert on the user’s existing devices. The risk has not vanished, but it has been pushed up from the storage layer to the identity layer. The attack surface narrows, the cost rises, and the leaked ciphertext on its own carries no immediate value.
The YubiKey route comes with its own trade-off. The fact that the private key never leaves the chip is its strongest protection, but it is equally its biggest weakness: lose the key and the credentials inside vanish with it, with no recovery path even from Yubico. The standard practice is therefore never to rely on a single key. Each account should be registered with at least two, one carried daily and one stored at home or in a safe. If the everyday key is lost, the backup still works; the first thing to do is delete the old key from the account and add a fresh replacement. Anyone who used only one and lost it falls back on each service’s account-recovery process, which is the weakest link in the entire chain and the favoured target of social engineering attackers.
Passkeys also do not lock a user inside one ecosystem. A passkey created on an iPhone can be used to log in to a website on a Windows computer by scanning a QR code displayed on the screen, with Bluetooth confirming that the two devices are physically near each other before completing the verification. The private key never leaves the phone; the cross-platform handoff is achieved through a FIDO standard protocol handshake, not by copying secrets between devices. Compared with social login, which essentially outsources identity to a single provider, this is a fundamentally different design.
Passkeys are not a panacea. They shift the risk from the storage layer to the device layer and the identity layer. The attack surface narrows and the bar rises, but it is not zero. A device deeply compromised by malware, or with a backdoor planted at the supply-chain stage, would expose any credentials held inside. Compared with passwords, however, this attack path has always been the harder one. A keylogger cannot capture a string that was never typed; a phishing site cannot trick the user into transmitting a private key that never travels; a server breach cannot leak a usable secret because no usable secret was ever stored. Harder is not the same as impossible, and security engineering has never offered a final answer.
There is also a structural concern worth naming. The passkey sync ecosystem currently rests on Apple, Google and Microsoft. End-to-end encryption protects against technical surveillance, but it does not protect against policy shifts. If a platform alters its access rules, complies with regulatory or law-enforcement demands, or freezes a user’s account for any reason, the entire login flow shakes with it. The FIDO Alliance is working on standards such as the Credential Exchange Format that will eventually let passkeys move between providers, but seamless interoperability is still some way off. For elderly users without smartphones, those uncomfortable with biometrics, or those whose work devices forbid personal sync, plain passwords will remain a fallback for the foreseeable future.
What the user actually sees is a fingerprint or a glance at the camera, and the fingerprint itself never leaves the secure chip inside the device. The server receives only a signature produced by the private key, which has nothing to do with what the biometric data actually look like. Behind that simple gesture is more than thirty years of mature cryptography, finally caught by consumer-grade hardware. Apple, Google and Microsoft now support passkeys natively, and major services including Amazon, PayPal, GitHub and Revolut have rolled them out. The FIDO Alliance reports that more than one billion people worldwide have activated at least one passkey, with consumer awareness running at roughly three quarters. In April 2026 the UK’s National Cyber Security Centre formally advised consumers to make passkeys their first choice for logging in, dropping its long-standing recommendation of plain passwords.
This is not another tech-industry feature push. It is a shift in the underlying engineering model. The reason the safest password is no password at all is not that passwords have ceased to matter, but that the shared-secret premise on which they rest is itself the source of the vulnerability. Keeping the secret behind the fingerprint on your own device, where it never has to travel, is what finally makes the model work.
