The Password is Dead! Long Live the Passkey

Let’s play a quick game. How many of your current passwords are just a variation of the same word with a different number at the end? Or worse, how many of you are currently protecting your entire digital life with Summer2023!?

Don’t worry, I’m not judging. I’m sympathising.

For decades, the password has been the gatekeeper of the internet. It is the digital equivalent of a rusty padlock: clunky, easily picked, and annoying to carry around. We hate inventing them (“Must include one uppercase, one symbol, and a hieroglyph”). We hate remembering them. And we really hate changing them, only to immediately forget the new one and enter the “Forgot Password” email loop of doom.

But finally, after years of promises, there is a smarter, safer, and infinitely less annoying way: Passkeys. If you’re not using them already, you’ve probably still seen more websites and apps offering them as a login option.

 

A Brief History of Security (Or: How We Got Into This Mess)

To appreciate where we are going, we have to look at the mess we are leaving behind.

1961: The Birth of the Password. The very first computer password was introduced at MIT on the CTSS (Compatible Time-Sharing System). It was a simple solution for a simple time, designed mostly so students wouldn’t mess with each other’s allotted computing hours. It wasn’t built for banking; it was built for politeness.

2003: The “Bill Burr” Era (and the Great Regret) This is where things went wrong. In 2003, Bill Burr, a manager at the National Institute of Standards and Technology (NIST), wrote the “bible” on password security. He was the one who told the world to force users to change their passwords every 90 days and use special characters.

• The Result: We all just started changing Password1 to Password2.
• The Twist: In 2017, Bill famously apologised. He admitted that his advice had actually made security worse because it trained humans to act like predictable algorithms. NIST officially updated their guidelines to say: Stop forcing rotation. But sadly, many corporate IT policies are still stuck in 2003.

The 2010s: The Band-Aid (2FA) We realised passwords were fundamentally broken, so we added a second lock: Two-Factor Authentication (2FA). This sent a code to your phone via SMS. Secure? Yes. Annoying? Also yes. Plus, hackers eventually figured out how to intercept those SMS messages (SIM swapping).

2022: The FIDO Alliance Steps In Recognising that the password was a dying horse, the biggest rivals in tech — Apple, Google, and Microsoft — did something rare: they agreed on something. They threw their weight behind the FIDO (Fast Identity Online) Alliance standards, giving birth to the modern Passkey.

We have finally evolved from “something you know” (which can be guessed or stolen) to “something you have” (your device) and “something you are” (your biometric).

 

What Exactly is a Passkey?

If you want the nerdy definition: A passkey is a FIDO2 credential based on WebAuthn standards using public-key cryptography.

If you want the human definition: Think of it like a digital key card.

When you use a password, you are telling the server a secret code. If the server gets hacked, the hackers have your code.

When you use a passkey, your device generates a unique pair of keys:

1. The Public Key: This is given to the website (like Google or Amazon). It’s like a padlock. It’s useless without the key.
2. The Private Key: This stays securely on your phone or laptop. It never leaves your device.

When you log in, the website sends a mathematical puzzle that can only be solved by your Private Key. Your phone scans your face (FaceID) or fingerprint to authorise the solution, solves the puzzle, and tells the website, “It’s me.”

The Result: You never typed anything. You never sent a secret across the internet. And if hackers breach the website’s database, all they steal are a bunch of useless padlocks (Public Keys) that they can’t open.

 

Why Passkeys Are a Game-Changer

If you are sceptical, I get it. We’ve been promised “the next big thing” in security before. But here is why passkeys are actually different:

1. Phishing is Dead(ish). This is the big one. A hacker can easily build a fake website that looks exactly like google.com to trick you into typing your password. But they cannot trick your passkey. The passkey protocol intimately binds the key to the real website domain. If you are on a fake site, your phone simply won’t offer the key. It knows the difference, even if you don't.
2. No More Data Leaks Since the “private” half of the key is stored on your device and never sent to the server, a database breach at a company reveals nothing useful to a hacker.
3. Sanity Restoration No memorisation. No password managers. No “Forgot Password” loops. Just a fingerprint or a glance at your screen.

How to Get Started With Passkeys

If you are in IT, you are probably thinking, “Great, users will love this, but how do I manage it without causing a helpdesk rebellion?”

Here is a “Cheat Sheet” for the major platforms to get you started.

1. Google Workspace

Google has made this surprisingly easy. It acts as a bridge, allowing users to use their phones as security keys.

• The Setup: Admin Console → Security → Authentication → 2-Step Verification.
• The Switch: Enable “Allow users to use security keys.”
• Best Practice: You can enforce this for high-risk users (like your C-Suite or Admins), but leave it optional for the general staff while they get used to it.
•  

2. AWS (Identity and Access Management)

AWS is for the pros, so naturally, there isn’t just a simple “On” switch. You manage this via IAM Policies.

• The Strategy: You don’t “turn on passkeys”; you create policies that require them.
• The How-To: Attach an IAM Policy requiring MFA (using the condition key MFApresent) for specific sensitive actions (like deleting databases).
• The User Flow: In the Security Credentials console, users select “Assign MFA device” and choose “Passkey or security key (FIDO).”

 

3. Azure (Microsoft Entra ID)

This is the big one for most corporate environments.

• The Setup: Entra Admin Centre → Protection → Authentication Methods → Policies.
• The Switch: Under Passkey (FIDO2), toggle Enable to Yes.
• Critical Detail: Ensure “Allow self-service set up” is on. If you don’t, users can’t register their own devices, and you will spend your life on the phone.
• Targeting: Microsoft allows you to roll this out to specific “Groups” first. Do this. Pick a pilot group of tech-savvy users before you unleash it on the Finance department.

 

Best Practices for Organisations

Enforcement and Education

• Mandate passkeys wherever possible.
• Educate users: Provide training, FAQs, and clear instructions.

Device Management

• Approve which devices can generate passkeys.
• Keep OS and firmware up-to-date.
• Define lost/stolen device procedures for revoking access.

Backups and Recovery

• Encourage multiple passkeys per user.
• Store backup codes securely.
• Implement robust account recovery processes.

Integration Considerations

• Integrate with SSO solutions (Google Workspace, Okta).
• Plan for legacy system support with secure temporary passwords.

Monitoring and Auditing

• Track adoption rates.
• Log usage and identify suspicious activity.
• Gather user feedback to improve the rollout experience.

 

For the Developers: Flutter Integration

If you are building mobile apps, you have a responsibility to stop forcing users to create passwords. Flutter makes this relatively painless.

You can implement passkey logic using LocalAuthentication + FIDO2 APIs on iOS and BiometricPrompt on Android.

• iOS/macOS: Native support via ASAuthorizationController.
• Android: Credential Manager API.
• Packages: Check out community packages like flutter_passkeys to abstract some of the complexity.

 

Real Talk: The Limitations

I want to be transparent. Passkeys are the future, but we are in the “early adopter” phase. There are a few friction points:

• The “Cross-Ecosystem” Gap: Syncing passkeys between an iPhone and a Windows laptop is getting easier (using QR codes to bridge the gap), but it’s not as seamless as using an all-Apple or all-Google setup.
• Shared Accounts: You can’t just sticky-note a passkey for the shared “Office Marketing” account. Companies need to start using proper delegation features rather than credential sharing.
• Legacy Tech: Some older apps simply don’t support FIDO2 yet. You will likely live in a hybrid world (Passkeys + Passwords) for a few more years.

 

The Bottom Line

Passkeys are safer, faster, and far less frustrating. The transition will take time (we have 60 years of bad password habits to break), but once you experience the “one-tap login,” you will never want to go back.

It’s time to take the sticky note off the monitor.