Will Passkeys Finally Eliminate Passwords?

This post is also available in: עברית (Hebrew)

A new report states that despite the rise of new secure authentication methods, passwords are here to stay.

Despite having had shortcomings and presenting substantial security risks, most organizations will likely continue to use passwords in the foreseeable future, according to a report released by Keeper Security.

Some of the reasons listed for not getting rid of passwords include simplicity, cost, and flexibility. Often, newer methods lack support from many applications, especially legacy apps, databases, protocols, and resources. The report reads: “Other options have their own challenges. Two-factor and multi-factor authentication methods such as hardware tokens, biometrics, and “passwordless” authentication are more complex, may have suboptimal user experience, and can cost more.”

According to Cybernews, the most widely deployed authentication measure used by 58% of organizations is a username and password combination. Passwords beat the second most widely adopted form of authentication (mobile push-based two-factor authentication) by a substantial margin.

Google has reportedly announced that it was going “passwordless by default”, pushing passkeys that use fingerprints, face scans, pins, and other methods to unlock devices and accounts.

Nevertheless, for passkeys to become the norm more websites must adopt them, and currently, many site owners are not very motivated to risk degrading the user experience and introducing something that could drive consumers away.

Therefore, the report concluded, username-password combos will remain a crucial part of the authentication landscape for the foreseeable future, arguing: “It may take years for passwordless authentication to become dominant, so in the meantime, organizations should ensure that their users are practicing good password hygiene.”

Nevertheless, Cybernews notes that usernames and passwords may not be all that bad when implemented properly, with solid password management. They’re cheap, well-understood by users, and there’s no single authenticator to replace everything.