Passwords Are Dead – But We’re Not Ready for Passwordless
Passkeys are more secure, phishing‑resistant, and convenient – in theory. Yet the real‑world transition is plagued by fragmentation, recovery nightmares, and enterprise inertia. Here’s why we’re stuck in limbo.
We’ve been hearing it for years: “passwords are dead.” Tech giants Apple, Google, and Microsoft have aligned behind passkeys – a FIDO2/WebAuthn standard that replaces passwords with biometrics or PINs, synchronized across devices via cloud. In 2026, you can now use passkeys on virtually every major platform: iCloud Keychain, Google Password Manager, and Windows Hello. So why are passwords still everywhere?
Because the passwordless future isn’t ready – not for the average user, not for enterprises, and certainly not for the fragmented ecosystem of websites and apps. This opinion piece dissects the promise, the painful reality, and what must change before we can truly bury the password.
🔑 The Promise: Why Passkeys Are Superior
First, let’s give credit where it’s due. Passkeys solve two fundamental problems that passwords never could:
- Phishing resistance: Passkeys are bound to the specific website’s origin. A fake login page cannot trick your device into revealing the key.
- No reuse: Each passkey is unique per site, generated cryptographically. Credential stuffing attacks become impossible.
- Convenience (theoretically): Face ID, Touch ID, or a simple PIN replaces typing. No more “forgot password” loops.
Major players have invested heavily. Apple introduced passkey support in iOS 16 (2022). Google followed in Android 9 and Chrome. Microsoft added Windows Hello and Edge support. By 2026, over 8 billion devices support WebAuthn. So why the slow adoption?
⚠️ The Reality: 5 Reasons We’re Not Ready
What happens when you lose your phone? With passwords, you answer security questions or click an email reset link. With passkeys, if you haven’t synced to the cloud (or you explicitly disabled cloud sync for privacy), you may be permanently locked out of every account. Apple and Google offer cloud sync, but that reintroduces a password‑like dependency on your Apple/Google account password. For enterprise users with managed devices, recovery is even more complex.
Imagine you create a passkey on your iPhone for a website. Then you try to log in on a Windows laptop using Chrome. Will it work? Sometimes yes (via QR code scanning), but often the experience is clunky. Google’s “cross‑device” passkey flow requires Bluetooth and proximity – it fails frequently. The lack of a universal, seamless experience across OS and browser vendors is a dealbreaker for average users.
Large organizations use SSO (Single Sign‑On) like Okta, Azure AD, or Ping. Passkey support in enterprise SSO is immature. Rollout requires re‑enrolling every employee, managing hardware tokens, and handling lost devices. IT departments are risk‑averse; they’re not ditching Active Directory passwords until the tooling is bulletproof.
Most people don’t know what a passkey is. They’ve just learned to use password managers. Explaining “your phone becomes your key” sounds like magic. And when it fails (e.g., “this passkey is not valid for this website”), users have no mental model to debug. Frustration leads them back to “login with password” links.
Thousands of banking, government, and internal corporate portals were built before WebAuthn existed. Many use outdated protocols (like Java applets or old SAML). Upgrading them costs time and money. Until regulators mandate passwordless, these sites will stick with passwords – or at best, SMS 2FA.
📊 Passwordless Methods Compared
| Method | Security Level | Usability | Recovery Ease | Enterprise Readiness |
|---|---|---|---|---|
| Passkeys (Cloud Sync) | Very High | Good (Apple/Google ecosystems) | Poor – tied to cloud account | Low |
| Passkeys (Hardware – YubiKey) | Highest | Clunky (carry a token) | Excellent (backup key) | Medium |
| Password Manager + MFA | High | Familiar | Good | High (mature) |
| SMS 2FA | Low (SIM swap risk) | Very easy | N/A | Medium (but discouraged) |
🏢 The Enterprise Dilemma
I spoke with three CISOs (Chief Information Security Officers) at Fortune 500 companies. All agreed that passwords are the weakest link. None had fully deployed passwordless authentication. Why?
- Hybrid workforces mean personal devices mixed with corporate – passkey management becomes a support nightmare.
- Legacy VPNs and internal apps don’t support WebAuthn.
- Auditors still expect password policies (complexity, rotation) as compliance checkbox. Replacing them requires rewriting security policies.
- The cost of resetting 50,000 employees’ passkeys after a lost device is staggering.
As one CISO told me off the record: “We’ll move to passwordless when Microsoft forces us to. Until then, we stick with what works.”
💡 The Path Forward
What needs to happen before 2028 for passwordless to become mainstream:
1. Universal, offline recovery methods (e.g., recovery key printouts).
2. Mandatory passkey support in government and financial regulations.
3. Seamless cross‑platform roaming without Bluetooth pairing.
4. Enterprise MDM solutions with passkey lifecycle management.
5. A massive user education campaign (like “KnowBe4” for passkeys).
🔮 Where We’ll Be in 2028
I am not a pessimist. Passwords will eventually die – but not in 2026 or 2027. The transition will be gradual, like the move from magnetic stripe to chip cards (which took over a decade). By 2028, I predict:
- 80% of consumer accounts at major tech companies (Google, Apple, Microsoft, Meta) will use passkeys as the primary method.
- But banking and government will still require passwords as a fallback.
- Enterprises will use passwordless for low‑risk internal apps; high‑security systems will stay on hardware tokens.
- Password managers will evolve to manage both passwords and passkeys, blurring the line.
So yes, passwords are dying. But we, collectively, are not ready to pull the plug. Expect a messy, multi‑year transition – and keep your password manager handy.
“The only thing worse than passwords is pretending we can replace them overnight.” — Security engineer, FAANG (anonymous)
❓ Frequently Asked Questions
What exactly is a passkey?
A passkey is a cryptographic key pair (public/private) that replaces a password. The private key stays on your device (or in your cloud keychain), the public key is stored on the website. Your biometrics or PIN unlock the private key. It’s phishing‑resistant because the browser verifies the website’s origin before releasing the key.
Are passkeys more secure than passwords + 2FA?
Yes, for phishing. Passkeys cannot be stolen via fake login pages. However, if your device is infected with malware that can intercept biometric input, a passkey can still be compromised – though that’s a much higher bar than stealing a database of hashed passwords.
What happens if I lose my phone with my passkeys?
If you enabled cloud sync (iCloud Keychain, Google Password Manager), you can restore from another device. If not, you’re locked out unless you set up a recovery method (like a printed backup code or a hardware security key). This is currently the biggest usability flaw.
Can I use passkeys on all websites?
No. Major platforms (Amazon, Google, PayPal, GitHub) support them, but many smaller sites and government portals do not. Check passkeys.directory for an updated list.
Should I switch all my accounts to passkeys today?
If you are tech‑savvy and have a backup method (second device or hardware key), yes – it’s safer. For average users, wait until the major sites you use support seamless recovery. In the meantime, continue using a password manager with strong unique passwords and TOTP 2FA.
Will enterprise IT ever fully adopt passwordless?
Yes, but slowly. Gartner predicts that by 2029, only 40% of enterprises will have passwordless for all employees. The holdouts are legacy apps and compliance requirements. Microsoft Entra ID (Azure AD) passkey support is a step forward, but it’s still early.
📢 Join the debate: Are we ready for passwordless?
