Last year, a password management company and a group of researchers found that the most common password in the world was 123456 — they said it showed up more than 103 million times.
Second was 123456789.
Third was 12345.
It was a telling sign of how most people use passwords, with millions of other users resorting to words like password or qwerty to secure their online accounts.
Whether you remember your passwords in your head, write them down somewhere or use password management software, the technology has some major drawbacks.
It’s why some of the world’s biggest tech companies are taking part in a rare collaboration to kill off the password, and its first phase is happening sooner than you might think.
So why would we move away from passwords and adopt passkeys? And what will it mean for our digital lives?
The problems with passwords
Computer passwords have been around since the 1960s, but they are far from perfect.
Microsoft said hackers tried to steal passwords around 921 times every second in the 12 months to May — a rate that doubled in the space of that year.
Here are some of the main issues with passwords:
- simple ones can be easily guessed
- data leaks can lead to passwords being bought and sold by cyber criminals
- passwords are often reused by the same person on different services and devices
- scammers can use social engineering or phishing (pretending to be someone they’re not) to get someone to reveal a password
“Our behaviours with passwords haven’t changed much in the last decade,” said Paul Haskell-Dowland, a professor of cyber security at Edith Cowan University.
To avoid these issues, industry leaders are promising that passkeys will allow for password-less account creation and sign-in across various devices and platforms.
What are passkeys? And how do they work?
To create and use a passkey on an app or website, you’ll use biometrics such as your fingerprint or face, or in some cases your device PIN.
Let’s say you’re setting up a new Instagram account on your phone, for example. Here’s how you could expect it to work:
- instead of creating a password, your device will use biometrics to verify it’s you, then generate a private passkey and store it securely on your device — it will then sync with your other devices through the cloud
- when you next go to log in, Instagram will send a unique mathematical problem to your device
- the device scans your biometrics to verify it’s you and it then uses the passkey it has stored to complete the mathematical problem and sends the result (but not the passkey itself) back to Instagram
- if the result matches what Instagram is looking for, this verifies it’s you and you’re logged in
- if you try to sign in to your account on someone else’s device, a QR code will be displayed so that you can scan it with one of your devices and confirm it’s you.
Here’s an example of what using a passkey will look like on an iPhone:
“You could consider it to be a bit like a password, but it’s a password that never leaves your device,” Professor Haskell-Dowland said.
In a joint statement in May, Apple, Google and Microsoft said they were committed to the standard behind passkeys, which was created by the FIDO Alliance and the World Wide Web Consortium.
“By working together as a community across platforms, we can at last achieve this vision and make significant progress toward eliminating passwords,” said Alex Simons, Corporate Vice President of Identity Program Management at Microsoft.
What are the benefits of passkeys?
Here are some of the key benefits of passkeys:
- you don’t have to remember a bunch of (hopefully different and very complex) passwords
- there won’t be anything to steal in data breaches from apps and websites, as they don’t store your personal passkeys
- If someone steals your device, they still won’t have your biometrics
- you can’t be tricked into sharing a passkey, because you don’t know what it is (only your devices do)
- passkeys are encrypted so no one (not even Apple, Google or Microsoft) can read them
- you can share passkeys with other people you trust, if you want to
- eventually you’ll likely be able to sign in to apps and services on nearly any device, regardless of their platform or browser.
“It removes the ability for a server compromise to mean that your information may be leaked online.”
Potential issues with passkeys
As with any new technology, there are a few grey areas with passkeys.
Here are a couple of questions that have been raised about them so far:
Will passkeys lock me into one of the big tech ecosystems?
This has been one of the main concerns so far.
As it stands, there’s no clear solution for moving your passkeys between ecosystems — say if you were to switch from Apple devices to Google devices.
But the FIDO Alliance has indicated it’s working towards that being possible and believes the tech companies aren’t trying to lock people in.
“There’s going to be such a significant driver for cross-platform compatibility, that anything developed now which doesn’t support that is not going to have a very long life.”
Transferring passkeys between ecosystems would also need to be secure enough to prevent hackers from obtaining the data while it’s being transferred.
Some companies that make password management software have also joined the FIDO Alliance, which could help give consumers more options and prevent them from feeling locked in.
What if I lose a device with my passkeys on it? Or lose all of my devices?
The tech giants say they will hold backups of passkeys in the cloud on encrypted servers.
This might raise security concerns for some users, but the companies say that even they won’t be able to access the passkeys on those servers, and it will be a complex process to retrieve them if you ever lose access to your devices.
But that’s probably a good thing.
“The approach that’s being taken seems to be very rigorous,” Professor Haskell-Dowland said.
“Whilst there’s always going to be risk — and sooner or later there will be strategies or techniques for bypassing some of these controls — at the moment it looks like it would be a fairly resilient approach.”
What if I get a new device?
If you get a new device, it’s expected that you’ll be able to use the old one (or another device of yours) to transfer your passkeys to the new device.
You might also retrieve them from the cloud, so it’s likely you’ll still need to use a password to secure your devices’ user accounts, at least for the time being.
When can I start using passkeys?
The transition to passkeys is expected to take its first major steps in the next 12 months or so when Apple, Google and Microsoft release new software that supports the technology.
Apple said passkeys would arrive in its iOS 16 and macOS Ventura software. They could be released as early as September.
Google said it aimed to have passkey support available for developer testing on Android and Chrome software “towards the end of 2022”, before going public.
Microsoft said it planned to support passkeys in Windows and on its Edge web browser.
Why passwords are still here to stay (for now)
Despite the tech giants racing to implement passkeys, it’s clear that passwords aren’t disappearing anytime soon, and it will likely take years to get most apps and websites to move away from them.
“It removes barriers, it removes risks, it’s a good public relations thing to say you’re adopting this new technology.
“They can do it quite easily, probably without too much fuss, and they’ve got the financial and technical resources to do so.
“But then you’re going to have a 20 or 30-year tail of websites and services that simply don’t have the resources and capabilities to implement it.
So while we wait for the slow death of the password, now might be a good time to make sure you’re not using 123456.