Passkeys won’t replace passwords because of key implementation flaws

Passkeys won’t replace passwords because of key implementation flaws
HIGHLIGHTS

Implementation of passkeys by major tech companies has demonstrated that they are not being standardised for inter-operability

This defeats the original purpose of passkeys, which was to simplify and streamline the authentication process

The current implementation of passkeys is not going to replace passwords anytime soon

I remember the first email account I had created back in 1997 or 1998. Hotmail was the hottest service, albeit with a rather quirky name, and everyone who had the privilege of accessing the Internet wanted to have a mail account for themselves. My brother had an account and I wanted one too, even though there was barely anyone I knew whom I could send emails to. When the time came to create the password, I was told to make it as hard as possible to guess. Being a smart cookie, I cooked up an alphanumeric pattern-based password which was easy to remember and was nine characters long. That password served me well for a decade, until I started refreshing passwords on a cyclic basis.

Computers were getting more powerful and breaking passwords was getting easier. And users had to think of unique passwords for each service and refresh them regularly. For the internet-savvy, it is a task unto itself. Last year, we saw a lot of news around passkeys and how tech companies around the world were scampering to quickly implement passkeys.

Passkeys were intended to replace passwords and provide a single, standardised method of authentication across various browsers and operating systems. Users would no longer need to remember and manage multiple passwords or rely on weak, easily compromised SMS or app-based one-time passwords. Instead, they could use biometric sensors, PINs, or patterns for secure and convenient access to apps and websites.

The introduction of passkeys as an alternative to traditional passwords is a move that has gained significant attention, with proponents arguing that it is a safer and more convenient solution for user authentication. However, the recent implementation of passkeys by major tech companies has demonstrated that they are not being standardised across different operating systems, resulting in a disappointing vendor lock-in scenario and an unsatisfactory user experience. In fact, rather than solving problems, passkeys may be creating new ones.

Regrettably, the way passkeys are being rolled out does not align with this vision. Major tech companies have opted to implement passkeys in a manner that ensures seamless functionality with their own ecosystems. And using passkeys across different ecosystems requires the use of QR codes or some other work around. This approach creates a vendor lock-in system, where users are limited to using passkeys only on devices with the same operating system. For example, a Windows-based passkey will only work on other Windows devices, while an Apple-based passkey will only function seamlessly across other Apple devices. You can use the passkey across ecosystems but it will be a pain. 

Such a twisted implementation is problematic for several reasons. Firstly, it runs contrary to the idea of standardisation, as users still have to rely on different authentication methods depending on the device they are using. This defeats the original purpose of passkeys, which was to simplify and streamline the authentication process across all devices and platforms.

Secondly, vendor lock-in can lead to a negative user experience, as it restricts users' freedom of choice when it comes to their devices and software. For instance, a user with a Windows-based passkey may find it difficult to switch to an Apple device, as their passkey will not work seamlessly across the two operating systems. This limitation discourages users from exploring different platforms and products, ultimately hindering competition and innovation in the tech industry.

Furthermore, the current implementation of passkeys is not going to replace passwords anytime soon. The widespread adoption of passkeys will take years, if not decades, to become a reality. Until then, users will still have to rely on traditional passwords, negating the supposed benefits of passkeys. This slow transition could potentially create confusion and increase security risks, as users juggle between passwords and passkeys.

It is worth noting that the concept of passkeys is not inherently flawed. If implemented correctly, it could provide a more secure and convenient authentication solution than passwords. However, the current approach taken by major tech companies is detrimental to both the user experience and the broader technology ecosystem.

To truly reap the benefits of passkeys, it is crucial for tech companies to work together and establish a standardised implementation that is compatible across different operating systems and devices. This would allow users to enjoy a seamless and secure authentication experience, regardless of their choice of device or platform. By prioritising collaboration and interoperability over competition, the tech industry can create a more inclusive and innovative digital landscape.

This column was originally published in Digit magazine's May 2023 edition

Mithun Mohandas

Mithun Mohandas

Mithun Mohandas is an Indian technology journalist with 10 years of experience covering consumer technology. He is currently employed at Digit in the capacity of a Managing Editor. Mithun has a background in Computer Engineering and was an active member of the IEEE during his college days. He has a penchant for digging deep into unravelling what makes a device tick. If there's a transistor in it, Mithun's probably going to rip it apart till he finds it. At Digit, he covers processors, graphics cards, storage media, displays and networking devices aside from anything developer related. As an avid PC gamer, he prefers RTS and FPS titles, and can be quite competitive in a race to the finish line. He only gets consoles for the exclusives. He can be seen playing Valorant, World of Tanks, HITMAN and the occasional Age of Empires or being the voice behind hundreds of Digit videos. View Full Profile

Digit.in
Logo
Digit.in
Logo