Can Passkeys Actually Replace Passwords?
I switched to passkeys wherever possible. The experience is mixed.
Apparently I Have 87 Passwords
Checked my password manager. 87 saved accounts. Of those, 23 use the same password. (I know how terrible that is for security.) Make them all unique and I can't remember them. Keep them the same and one breach compromises everything.
Enter passkeys. Log in using biometrics or device authentication instead of passwords. Google, Apple, and Microsoft are all pushing it hard. Adoption has surged since 2024.
Passkeys in a Nutshell
Technically, it's the FIDO2/WebAuthn standard. Public-key cryptography. The server stores only the public key; the private key lives on your device.
User experience is simple. Click login, scan fingerprint or Face ID or enter device PIN. Done. No password to type.
Phishing-resistant too. No password to enter on a fake site. Passkeys are domain-bound, so they simply won't activate on impersonator sites.
I've Been Using Them
Three months ago, I switched to passkeys on every site that supports them. Current passkey-enabled accounts: Google, GitHub, 1Password, Vercel. 11 sites total.
The good: Fast. Password entry + 2FA code entry replaced by one fingerprint scan. Google login takes 3 seconds. Previously it was password copy + open authenticator app + enter code, about 15-20 seconds.
The weird: "Did that actually log me in?" anxiety. It's so easy it feels wrong. Security got stronger, but the feeling is that it got weaker. Paradoxical.
But There Are Problems
Device dependency. If the passkey is stored on my MacBook, I can't use it from the office Windows PC. Sure, iCloud Keychain or 1Password can sync passkeys, but configuring that sync is complex. I didn't know this initially and couldn't log into GitHub from my work PC for 30 minutes.
Limited site support. Of my 87 sites, 11 support passkeys. That's 12.6%. The other 76 are still passwords. Korean sites are worse -- Naver and Kakao maybe? Banks are a distant dream.
Shared accounts. My team has shared service accounts. Passwords can be shared via password manager. Passkeys are device-bound, so sharing doesn't work. This needs solving.
The Developer Perspective
We evaluated adding passkeys to our project. Implementing WebAuthn directly is fairly involved. Challenge generation, response verification, public key storage, cross-platform compatibility. Direct implementation would take 2-3 weeks.
Libraries like Clerk, Auth.js (NextAuth), and Hanko make it easier. Adding passkey support through Auth.js is "a few lines of config." Of course, "a few lines of config" actually took two days. (Undocumented edge cases always exist.)
Ultimately, we haven't shipped it. The reason: almost none of our users know what a passkey is. "Log in with your passkey" would generate a flood of "what's that?" support tickets.
When Do Passwords Die?
Honestly, I don't know. 5 years? 10? Personally, I think passwords won't fully disappear. Legacy systems, shared accounts, devices that don't support passkeys -- these will persist.
But passkeys becoming the "default option" could happen fast. Google already prompts passkey setup first when creating new accounts. Within 2-3 years, most major services will probably offer passkeys as the primary method.
I'm using passkeys everywhere they're available. Definitely more convenient than managing 87 passwords. But until the other 76 sites catch up, I can't ditch the password manager.