I woke up one day and decided to go all in on passkeys.¹
I knew it wasn't possible. I had to try. I wanted to see how far I could get. My dreams were swiftly crushed.
It's not possible to go all in on passkeys. Not in 2023, anyway. The reason surprised me.
I got blinded by my own optimism from announcement after awesome announcement about passkeys in the past two years. The hype is real — we've made a ton of progress after a decade or more of hard work by the FIDO Alliance and others. We're still an eternity away from the finish line, though. Why?
The problem isn't technical — most customer identity platforms already support passkeys. It's not platform support — Apple, Google, Microsoft, their browsers, and the major password managers are all on board. It's not consumer demand, either.
The challenge is surprisingly acute: we're all stuck with passwords until a lot more companies make passkeys available for their users.
My experiment with pushing the limits of passkey adoption made it clear to me why availability is the limiting factor. Here's the story.
My terrible, horrible, no good, very bad day of implementing passkeys
I wanted to experience everything good and bad about passkeys — just like a regular person would if they tried adopting them today. Bright-eyed, ambitious, and slightly naïve Cole started with a pragmatic plan: inventory my accounts, classify them by risk level, and implement passkeys for high risk apps.
This seemed achievable. I've put in my 10,000 hours planning, designing, and executing identity implementation projects. I decided to do the same thing for myself as I would for Fortune 500 clients.
Inventorying my accounts was easy because I emphatically use a password manager. A quick export of my accounts to a spreadsheet was a perfect starting point.²
Once I had my list of accounts, I did what any former Big 4 security consultant would do —gave them a simple risk classification:
- High: The app directly holds financial information or PII.
- Medium: The app doesn't hold money or PII, but can cause significant financial, intellectual property, or reputational damage if compromised.
- Low: The app has limited impact if compromised.
My former bosses would have been so proud. Fancy Consulting Analysis™ in hand, I set off on my journey to implement passkeys.
"Great, let's enable passkeys for the high risk apps!"
[...starts working through the list...]
"Oh, $&^%."
Thinking like an enterprise cybersecurity practitioner was a mistake. I assumed high-risk apps would be more likely to support passkeys. Wrong!
The correlation between risk and passkey support is low.³ The apps I could use passkeys for were scattered across my high, medium, and low risk categories. I haven't noticed any rhyme or reason why this was the case. Adoption is random.
Success! Sort of...
After a quick regroup, I decided to work backwards from 1Password's Passkeys.directory index. This approach is easier because any app I use that's listed in the directory should have full or partial support for passkeys.
This plan worked...sort of. I found apps I use in the directory and started enabling passkeys for them. Success!
Until...I ran out of apps. Quickly.
I use 374 apps (I know, it's a lot). Seventeen support passkeys. Seventeen. This means 95% of the apps I use today don't support passkeys yet:
Here's where disappointment sets in. We talk a lot about whether consumers will adopt passkeys. That wasn't the problem here. I wanted to adopt passkeys. I would have adopted them across 100% of my apps if I could.
As a consumer, the situation is completely out of my control. There's no end in sight. That's a helpless feeling.
Where's the path forward?
If my experiment with passkeys was a marathon, I ran a mile and had to stop because the course for the remaining 25.2 miles wasn't even built yet. I didn't choose to stop because I lacked the skills or desire to finish. I had to stop because there was literally no way for me to continue.
I'm still having a hard time understanding why companies aren't racing to adopt a solution that solves so many of our problems in security. It's like we found a cure for cancer and they said, "no thanks, I'll take my chances with cancer." Security is a smaller scale than cancer, of course, but the potential impact of passkeys is profound.
For an industry that loves to argue and debate, there is very little disagreement about the need to get rid of passwords and the solution for getting rid of them. Passwords are bad. Passkeys are the solution. Why aren't we giving everyone a chance to use them?!
You know when they say "the future is here, it's just not evenly distributed"? That's exactly where we are at with passkeys. We're still a long, long way from getting rid of passwords.
The path forward is slow and tedious. More companies have to make passkeys available for their customers. There's no other solution. There is a glimmer of hope, though.
A glimmer of hope: Shopify and 1Password
If you squint your eyes and take a few small, tangible steps like I did, you can see the future of security. I promise you, it's marvelous.
When an app implements passkeys as a first-class citizen, the experience is amazing. In the epic words of Steve Jobs, "it just works."
Look no further than Shopify's Shop Pay app (the consumer version, not the e-commerce store). Seriously, try it. Go to your account page, add a passkey, and you're done.
This experience is exactly what I mean by "passkeys as a first-class citizen." You literally don't have a password. No clunky amalgamation of passwords and passkeys (...which one do I use?!) or passkeys as a second factor. The steps to enable passkeys are so clear you don't even need instructions. It. Just. Works.
Using 1Password to manage your passkeys makes the experience even more exquisite. You don't want to lose your passkeys. You don't want to create a new one for every device. And you don't want to get locked into a platform like Apple, Google, or Microsoft with no way out. Storing and syncing your passkeys in 1Password is a cheat code.
I wish Shopify and 1Password were more than a glimmer. The reality is we're still at ground zero. Let these two examples serve as a beacon of what's possible for security if other companies can get on board with passkeys. Until then, we're all stuck with passwords.
Footnotes
¹I'm using the term passkeys here instead of the FIDO2 standard name. Apple always picks the best names for stuff.
²If you don't use a password manager (or kinda-sorta use one), there's no need to worry. You can probably think of your riskiest accounts. Start there. Don't worry about the long tail of low-risk accounts.
³I didn't actually run the statistical correlation. Intuition is good enough to make the point.