top of page

Passwords are Broken! All Hail Passkeys??



Passwords

Passwords have been around for decades. They are the de-facto authentication standard used across the web for identity verification. When interacting with an app or website that requires an account for added functionality or services, users are prompted to provide a username (typically an email address), and a password. The password is a shared 'secret' known by both the user and the online service they are accessing. During sign-in,as long as the user can provide a valid username and password combination, they are granted access.

Passwords, however, have always been intrinsically vulnerable from their first inception. They are:

  • Easily guessable since most users use weak passwords (e.g. 12345678)

  • Susceptible to keyloggers, social engineering, phishing attacks, and hacking attempts such as brute-force attacks.

  • Most passwords are re-used across different accounts thus a data breach of a single online service can result in all other accounts of a user being at risk.

The use of passwords also affects the business providers as well. According to the FIDO (Fast Identity Online) Alliance, more than 80% of data breaches are the result of compromised passwords. Furthermore, one-third of all online purchases are lost due to customers forgetting an account password, which prevents them from completing the checkout process. Businesses also receive a lot of customer support requests due to forgotten passwords.


Over the years, different solutions have come up to address the problems posed by passwords. However, instead of addressing the underlying security problems, the solutions pile on additional processes at the expense of user experience. For instance:

  • While the use of two-factor authentication (2FA) increases security for online accounts, it adds an extra step for the users and financial costs for the online service provider (SMS costs).

  • Enforcing password complexity increases friction for the users, and the likelihood of customers forgetting their account passwords.

  • While password managers were meant to help users set unique and strong passwords for each of their online accounts without the need of remembering the actual passwords themselves, they are still not yet widely adopted.

Due to all these underlying login security problems, a "passwordless" future needed to be envisioned and brought to life.