Skip to content

← Writing

engineering

Passkeys Go Mainstream: Killing Passwords

· Jerwin Arnado

Archive note: this is a backdated post, written years later while rebuilding this site. It’s dated to the moment it covers, but the hindsight is real.

On October 10, Google made passkeys the default sign-in option for personal accounts — billions of them. Apple and Microsoft shipped their support over the past year. After a decade of “the death of passwords” think-pieces, the funeral is actually being scheduled, and as someone who builds login forms for a living, this one’s worth understanding properly.

What a passkey actually is

Under the branding, a passkey is a WebAuthn/FIDO2 credential: a public-private key pair, generated per site, stored on your device (or synced through your platform’s keychain/password manager). Login is a signature ceremony:

  1. The site sends a random challenge.
  2. Your device signs it with the private key — after unlocking via fingerprint, face, or PIN, which never leave the device.
  3. The site verifies with the public key it stored at registration.

No shared secret. The server holds only a public key — there is nothing to steal in a breach worth stealing. And the part that should make every security team sit up:

Passkeys are phishing-immune by construction. The credential is cryptographically bound to the origin. A pixel-perfect secure-gcash-login.example clone site can ask all it wants; the key for the real domain simply will not answer for an impostor. The entire genre of attack that drains e-wallets and inboxes across the Philippines — fake login pages over SMS — dies not by user education but by making the mistake unmakeable. After years of watching “don’t click suspicious links” seminars lose to one convincing text message, that’s the headline for me.

Why now, after a decade of FIDO

The missing piece was never crypto; it was recovery and sync. A key locked to one device is a support nightmare (“I lost my phone” = locked out forever), which is why hardware-key adoption stayed niche. The compromise that unblocked everything: passkeys sync through iCloud Keychain / Google Password Manager / 1Password and friends. Purists correctly note this trades some “the key never leaves the device” rigor for usability — your platform account becomes the crown jewels. The pragmatic read: society already keeps its life in those accounts; this at least removes ten thousand phishable passwords downstream.

For those of us building the forms

Notes from the implementer’s side of the counter:

  • The ecosystem is ready when you are. WebAuthn libraries exist for every stack (PHP very much included — packages integrate cleanly with Laravel’s guard system). The browser API is stable; the hard parts are product decisions, not protocol ones.
  • Ship it as an option first. The pattern that works: password login intact, “add a passkey” nudge after successful login, passkey-first prompt for returning users. Forcing it day one strands users on older devices and shared computers — a real concern for PH audiences, where the family computer and the secondhand phone are normal contexts.
  • Recovery flows are now your weakest link. When the credential is unphishable, attackers move to the reset path. Email-based recovery quietly becomes the actual security boundary of your app; treat it with the paranoia previously reserved for the password table.
  • The acronym soup (WebAuthn, FIDO2, CTAP, discoverable credentials) is worse than the work. It’s a fortnight of effort to offer your users login that cannot be phished. The cost-benefit hasn’t been this lopsided since HTTPS-by-default.

The long goodbye

Passwords won’t vanish — legacy systems guarantee them a long retirement. But October 2023 is the month the default flipped at internet scale, and defaults, as Zoom taught everyone, are where security actually lives. The most user-hostile artifact in computing — memorize a secret, but make it weird, but never reuse it, but change it often — is finally being deprecated.

123456 had a thirty-year run as the world’s most popular password. May it rest. It was never doing the job anyway.