The second hurdle is even trickier. Even with all of those pieces in place, many passwordless schemes only work on newer devices, and necessitate the ownership of smartphone along with at least one other device. In practice, that’s a fairly narrow use case. Many people around the world share devices and can’t upgrade them frequently, or use feature phones if anything.
And while passwordless implementations are increasingly standardized, account recovery options are not. When security questions or a PIN serve as backup options, you’re essentially still using passwords, just in a different format. So passwordless schemes are moving toward systems where one device you’ve previously authenticated can anoint a new one as trustworthy.
“Let’s say you leave your phone in a taxi, but you still have your laptop at home,” Google’s Risher says. “You get a new phone and use the laptop to bless the phone and can kind of build yourself back up. And then when somebody finds your lost phone, it’s still protected by the local device lock. We don’t want to just shift the password problem onto account recovery.”
It’s certainly easier than keeping track of backup recovery codes on a slip of paper, but again raises the issue of creating options for people who don’t or can’t maintain multiple personal devices.
As passwordless adoption proliferates, these practical questions about the transition remain. The password manager 1Password, which naturally has a business interest in the continued reign of passwords, says it is happy to embrace passwordless authentication everywhere that it makes sense. On Apple’s iOS and macOS, for example, you can unlock your 1Password vault with TouchID or FaceID instead of typing in your master password.
There are some nuanced distinctions, though, between the master password that locks a password manager and the passwords stored inside of it. The trove of passwords in the vault are all used to authenticate to servers that also store a copy of the password. The master password that locks your vault is your secret alone; 1Password itself never knows it.
This distinction makes passwordless login, at least in its current form, a better fit for some scenarios than others, says 1Password chief product manager Akshay Bhargava. He notes, too, that some longstanding concerns about password alternatives remain. For example, biometrics are ideal for authentication in many ways, because they literally convey your unique physical presence. But using biometrics widely opens up the question of what happens if data about, say, your fingerprints or face is stolen and can be manipulated by attackers to impersonate you. And while you can change your password on a whim—their single best quality as authenticators—your face, finger, voice, or heartbeat are immutable.
It will take time and more experimentation to create a passwordless ecosystem that can replace all the functionality of passwords, especially one that doesn’t leave behind the billions of people who don’t own a smartphone or multiple devices. It’s harder to share accounts with trusted people in a passwordless world, and tying everything to one device like your phone creates even more incentive for hackers to compromise that device.
Until passwords are totally gone, you should still follow the advice WIRED has pushed for years about using strong, unique passwords, a password manager (there are lots of good options), and two-factor authentication wherever you can. But as you see opportunities to go passwordless on some of your most sensitive accounts, like when setting up Windows 11, give it a shot. You may feel a weight lifting that you didn’t even know was there.
More Great WIRED Stories
