Passwordless logins are a confusing mess
In this week's guest column, Jared Newman wonders what it will take to make passkeys truly usable
This week’s column is by Jared Newman, whose Advisorator and Cord Cutter Weekly newsletters are both on my must-read list. I first got to know Jared for his work at PC World, where he’s been offering smart tech advice for as long as I can remember. He’s also a regular contributor to TechHive and Fast Company.
For this shortened post-holiday week, Jared and I are swapping columns, with Advisorator readers getting one of my recent articles and READ ME subscribers getting this analysis of a new technology that promises to reduce the pain and inconvenience of passwords … someday.
by Jared Newman
Ready or not, the tech industry believes it’s time to start killing the password.
After discussing the idea in mostly theoretical terms last year, companies like Google and Apple are starting to push passwordless logins in earnest. By weaning people off passwords, they hope to make account logins easier and less susceptible to phishing attacks.
But behind the optimistic press releases—like last week’s from Google, which declared the “beginning of the end of the password“—lies a harsher reality: Getting rid of passwords will be a long, messy, and occasionally maddening process, especially without clearer documentation and guidance from the companies involved.
Even so, you can expect to see more apps and sites encourage you to create passwordless logins in the weeks and months ahead. Here’s what you need to know about how this is all going to work.
What might replace passwords
The big idea behind passwordless logins is that your phone or computer proves who you are through biometric data, such as with FaceID or your fingerprint.
This does not mean you’re sharing biometric info with every app or website. Instead, your phone or computer can store the keys for your online accounts, and your face or fingerprint provide a kind of security check that tells each site to provide access.
The concept is somewhat similar to password managers such as Bitwarden and 1Password, in that you can’t access your vault on your phone without a biometric check (or your master password). The difference is that you never see an actual password, and neither does the app or site you’re logging into. Having your login stolen becomes less likely as a result.
Your passkeys are also supposed to sync across devices, either via Apple’s iCloud Keychain or Google’s password manager in Android or Chrome. When those options aren’t available, the passkey system lets you sign into other devices from your phone using Bluetooth or a QR code. In theory, this means you’ll be able to login without a password even as you move between your phone and laptop.
Why it’s a mess right now
All of this falls apart when you try to start using passkeys in earnest. The technology is so new that every website handles it differently, and things that are supposed to just work often don’t.
eBay, for instance, is now encouraging users to create passkeys after they log in with a regular password. But once you do that, the site provides no way to actually use the passkey on other devices.
Best Buy’s process is even more confusing. While the site prominently offers a “Sign in with Passkey” prompt on its login page, creating one in the first place requires you to dig deep into Best Buy’s account menus.
I also had trouble using my Best Buy passkey across devices. While its desktop site lets you transfer passkeys created on your phone, the same process wasn’t available in reverse. Meanwhile, Google failed to sync my Best Buy passkeys at all, so trying to use “Sign in with Passkey” on a second Android phone only produced an error message.
As for Apple, it’s in its own universe when it comes to passwordless logins. To port passkeys over from a non-Apple device, you either need an Android phone or a physical security dongle with NFC support, which rules out easily syncing passkeys created on a Windows PC.
I have a pretty solid handle on technology, and I still find this to be overwhelming. Even across just a handful of sites, I’ve already lost track of which passkeys are stored where, and as of now, there’s no way to bulk-transfer them onto a single platform or password manager.
All of this, by the way, is separate from the “Sign in with Google” and “Sign in with Apple” buttons that are already ubiquitous around the web. While those options are also passwordless, they’re separate from this new passkey system that’s now being created.
What happens if you lose your phone?
The other concern with passkeys is how much pressure they put on your phone to serve as the keys to your digital life. As of now, none of the systems’ biggest backers have provided clear documentation on what happens if you phone goes missing.
What I’ve gathered is that you’re supposed to use a secondary device—like a laptop or an iPad—to help authenticate the replacement phone. At that point, all your passkeys will sync over, and you’ll be on your way.
Setting aside all the sync issues I mentioned above, what happens if your phone is your only device, or if your other devices have gone missing as well? Today, the recovery process usually involves getting a text message sent to your new phone after entering your password. That option, which already carries some risk, won’t be possible in a passwordless future.
Even now, there are other ways of recovering your account, such as printed backup codes or trusted recovery contacts. Setting those up will become even more important if passwords someday cease to be an option.
Right now, though, the companies pushing passwordless logins are glossing over the issue entirely. In Google’s latest post about adding passkey support, the possibility of losing your phone doesn’t even come up, and its support page offers no guidance for users who’ve lost all their devices.
Passwords aren’t going away (yet)
All of which helps explain why passwords are sticking around. Despite the hype, most of the services that offer passwordless logins today aren’t actually deleting your passwords. They’re just offering passkeys as an additional sign-in method as they try to work through an array of new inconsistencies, inconveniences, and technical hiccups.
In other words, when you see a “sign in with passkey” prompt on a website today, it roughly translates to “please be our guinea pig.” Leaving that job to others is a perfectly acceptable option.
For more from Jared Newman, I encourage you to check out Advisorator.
