The second obstacle is even more complicated. Even with all these pieces in place, many password-free schemes only work on newer devices, and require smartphone ownership with at least one other device. In practice, this is a fairly strict use case. Many people around the world share devices and can’t update them often, or use them feature phones if anything.
And while password-free implementations are increasingly standardized, account recovery options are not. By the time security issues or a PIN serves as a backup option, you are essentially still using passwords, only in another format. Thus passwordless schemes move to systems where a device that you have previously authenticated can anoint a new one as trustworthy.
“We say you leave your phone in a taxi, but you still have your laptop at home,” says Google’s Risher. “Get a new phone and use the laptop to bless the phone and you can type build yourself. And then when someone finds your lost phone, it’s always protected by the lock of the local device. We don’t just want to transfer the password problem. in account recovery ”.
It’s certainly easier said than done to keep track of safety recovery codes on a piece of paper, but it again raises the issue of creating options for people who don’t have or can’t keep multiple personal devices.
As adoption without a password proliferates, these practical questions about the transition remain. U password manager 1Password, which naturally has a commercial interest in the ongoing realm of passwords, says it’s happy to embrace password-free authentication wherever it makes sense. On Apple’s iOS and macOS, for example, you can unlock your 1Password password with TouchID or FaceID instead of typing in your master password.
There are some nuanced distinctions, however, between the master password that locks a password manager and the passwords stored in it. The password finders in the vault are all used to authenticate to servers that also retain a copy of the password. The master password that locks your back is just your secret; 1Password itself will never know.
This distinction makes password-free access, at least in its current form, a better fit for some scenarios than others, says 1Password product manager manager Akshay Bhargava. He also notes that some long-standing concerns about password alternatives remain. For example, biometrics are ideal for authentication in many ways, because they literally convey your unique physical presence. But the use of biometrics largely raises the question of what happens if data on, say, your fingerprints or your face is stolen and can be manipulated by attackers to impersonate you. And while you can change your password at a whim – its best quality as authentication – your face, finger, voice or heartbeat are immutable.
It will take time and more experimentation to create a password-free ecosystem that can replace all the features of passwords, especially one that leaves behind billions of people who don’t have a smartphone or multiple devices. It’s harder to share accounts with trusted people in a password-free world, and linking everything to one device as your phone creates even more incentives for hackers to compromise that device.
Until the passwords are gone, you should always follow the WIRED advice has been around for years about using strong, unique passwords, a password manager (there are very good options), and two-factor authentication where you can. But as you see opportunities to pass without a password in some of your most sensitive accounts, cume when you create Windows 11, gives it a shot. You could feel a weight lift that you didn’t even know was there.
More Great WIRED Stories