The second obstacle is even more inconvenient. Even with all of these parts, many passwordless schemes only work on newer devices and require ownership of the smartphone along with at least one other device. In practice, this is a rather narrow use. Many people around the world share devices and cannot upgrade or use them often phone features, if anything.
And while password-free implementations are increasingly standardized, account recovery options are not. When security issues or PINs serve as backup options, basically you still use passwords, only in a different format. So, password-free schemes move towards systems in which one device you have previously confirmed can anoint a new one as reliable.
“Let’s say you leave your phone in a taxi, but you still have a laptop at home,” says Google’s Risher. “You get a new phone and use a laptop to bless the phone and you can build yourself up in some way. And then, when someone finds your lost phone, it is still protected by locking the local device. We don’t want to switch the password issue to account recovery only. “
It’s certainly easier than tracking security recovery codes on a slip of paper, but again raises the question of creating options for people who don’t or can’t maintain multiple personal devices.
As password-free adoption spreads, these practical questions about transition remain. The password manager 1Password, who is naturally interested in continuing the rule of passwords, says he is happy to accept password-free authentication wherever it makes sense. On Apple’s iOS and macOS, for example, you can unlock the vault with 1Password TouchID or FaceID, instead of typing in a master password.
However, there are some nuanced differences between the master password locked by the password manager and the passwords stored inside it. The plurality of passwords in the vault are used for authentication on servers that also store a copy of the password. The main password that locks your vault is just your secret; 1Password never knows that.
This difference makes a password-free login, at least in its current form, better for some scenarios than others, says 1Password product director Akshay Bhargava. He also notes that there are still some long-standing concerns about password alternatives. For example, biometrics are in many ways ideal for authentication because they literally convey your unique physical presence. But the use of biometrics raises the question of what will happen if data about, say, your fingerprints or face is stolen and attackers can manipulate them to impersonate them. And while you can change the password at will – their best quality as an authenticator – your face, finger, voice or heart rate are unchanged.
It will take time and more experimentation to create a password-free ecosystem that can replace all password functions, especially one that doesn’t leave behind billions of people who don’t own a smartphone or multiple devices. It’s harder to share accounts with trusted people in a password-free world, and tying everything to one device like your phone creates an even greater incentive for hackers to compromise that device.
As long as the passwords are completely gone, you should still follow the WIRED council has been pushing for years on the use of strong, unique passwords, password managers (there are a lot of good options), i two-factor authentication wherever you can. But as you see the possibilities of running out of some passwords without some passwords, for example when installing Windows 11, try it. You may feel a weight lift that you didn’t even know was there.
More great WIRE stories