Updated: May 3, 2025
Every few weeks, I come across an article telling us how passwords are bad and how we need to go "passwordless". These pieces are written by mostly well-intended nerds who think technology can solve basic problems in human behavior. But when the likes of Microsoft and Google and Facebook start spamming you to "increase your security with passkeys", you instantly know this isn't what you want. And so, tragically, the nerds end up supporting data-hungry companies in trying to get an ever greater hold on our personal lives.
Moreover, there's a bigger, fundamental issue. It's not that passwords can be hacked - after all, company databases get hacked all the time, and this is vector no.1 for data loss, not brute force hax0ring of individual accounts. It's that the whole concept of preventing phishing with private-public keys is misplaced. It missed the point. The issue is quite simple: clickable links, plus greed. Let's elaborate.
Note: Image taken from Wikimedia, licensed under CC BY 2.0.
First, why passkeys are nonsense
I already wrote about this in the past, but let's talk about this some more:
- The word passwordless is nonsense. In most cases, most passkey implementations, you need a PIN to unlock your private key to authenticate. PIN = password, except it's numbers only. Nonsense. Passkeys simply obfuscate the problem and move it somewhere else, most often into a PROPRIETARY key management tool. For example, Microsoft wants you to use THEIR authenticator app. Not just any app that adheres to the standard. Nope. This effectively means super-vendor-lock-in. Absolute nonsense.
- Passkeys usually require a phone - this is a single point of failure, and one that gives the big companies extra control over you. Phone, number, SIM, and so forth. A beautiful bevy of data. The whole idea of actually having to use your phone as an identity vector is horrible.
- You need "biometrics" to supposedly prove you're you to unlock your private key. Biometrics are a form of password, except you can't replace it, and it also gives yet more of your personal data to the big companies. More nonsense.
- The implementation of passkeys is fragmented, vendor-specific, and complicated. Only diehards who love technology can use this. The same kind of people who were "all in" when IoT/cloud crap came out, and now they see their smart homes slowly go offline as big vendors almost arbitrarily cut support for old gadgets and effectively kill products. Because cloud.
- Passkeys only solve one use case - phishing where the user inputs their password and MFA into a fake site.
And this brings me to the topic of clickable links.
The impulse control
Most of the modern Internet is founded on one simple principle: people have problems with impulse control. It's basic psychology. Most humans receive terrible, inadequate parenting, they end up as malformed adults who do not know how to delay/defer their gratification. Big companies use this emotional deficiency to make money.
This is how it works:
- Create an enticing online product. This triggers happy chemicals in a person's brain, especially those who have grown up without proper emotion regulation.
- The happy chemicals, like dopamine, only last a few moments. You need to make a sale in this short period of time, or the buyer make change their mind.
- To wit, the online shopping needs to be as quick and clickable as possible to facilitate this.
And this is why we have things like HTML-formatted emails, links in emails, "streamlined" shopping experience, and similar dross. This is why the companies started obfuscating details, so the user is only focused on the shopping part. No more https in the address bar, shortened links (because typing on mobile is hard), reaction emojis. Javascript? Why everything needs Javascript? Why?
All greed-induced crap designed to keep people "engaged".
And this "engaged" is EXACTLY why people click on links in their emails!
For fifteen years, people were told, indoctrinated about how happy and cool the Internet experience is. You don't need to go into a store, you can do it right there, on your computer, instantly! Don't think, click! The companies made big bucks by making the online shopping experience happen right there, in people's inboxes. Now that the whole thing has become untenable, all of a sudden, we need to listen to those same companies about the SUPPOSED solution to our woes. No, Kimosabe.
And now with this AI diarrhea all over the place, I'm supposedly to blithely give my biometrics to the big guys, and along the way, also make the phone the single point of failure in my authentication chain, a device that can be easily stolen, broken, lost, depleted of battery, and over which I have almost no control?
Nope.
Worst of all, tragically, nerds who should know better champion this nonsense!
The real solution? There isn't one.
Humans will always fall prey to scams. It doesn't matter if these are analog or digital. It doesn't matter if you're completely clueless or extra savvy. It happens, and will happen - a game of probabilities. Under the right circumstances, everyone will make a mistake.
In some ways, the premise of passkeys is that exactly this - the assumption there will be a mistake, and then how to mitigate it. But I will repeat what I wrote about two years ago:
- A person will become a target of a relatively sophisticated hack once or never in their lifetime. A person can expect their personal data to be lost or leaked by incompetent companies ALL THE TIME. Every single human's data is out there, in some shitty leaked database, because most businesses treat IT as a costly inconvenience. Passkeys don't help in any way here.
- Even if passkeys can stop you from say providing your password and MFA on a genuine-looking fake site, the implications of their use outweigh the benefits. Say I decide to use passkeys. Okay. The passkeys will be stored somewhere, like say my phone. If my phone gets hacked, what then? An attacker could potentially be able to access everything I have on the device, including the keys. This is way less secure than say an offline password manager (like KeePass), which never goes online, never gets synced to your "online" accounts, and isn't trivially stored on a fickle device like your phone.
- A PIN-protected passkey vault is not better in any way than a password-protected password manager. It's also less flexible - you can store your offline password manager anywhere, on any computer. Multiple copies, multiple implementations. You can't do that with the single phone you have. Phones also cost a lot of money, and of course, you will always need to keep it up to date, and that implies frequent purchase cycles, too. The cynic in me cannot disregard the profitability side element of this whole story.
- And what if you don't trust your phone to keep all your secrets there? I know I don't. I would never keep my passwords on any smartphone ever. And then to effectively give my phone full access to various online accounts sounds like madness. But that's what passwordless implies.
From Microsoft's page on passkeys - not picking on them specifically, they simply have a reasonably legible page on this topic. And by reasonably, I mean not as bad as most other pages. Now, notice the wording - Ways to prove who you are. What. So we're mixing identification and authentication again, are we?
If you need more anti-convincing, look back at that Microsoft article linked above, again as an example. To use passkeys, you will need stuff like Windows 10 or newer, Chrome 109 or newer, Microsoft Authenticator, hardware keys that support the FIDO2 protocol, etc. Edge is there, too, of course. Firefox? Nope. Linux? Nope. A big list of big proprietary solutions? You bet. Sure, I'm going to drop Firefox on my Android, the ONE browser that supports UBlock Origin (UBO) and Manifest V2 so I can block crappy ads, and I'm gonna start using Chrome or alike. Sure, sure. Right away, sirs!
From Microsoft's site ...
Meanwhile, the fully offline, crusty old KeePass and its official builds will happily run on anything anywhere, with potato-level requirements. I can set up KeePass Portable on a USB key, run it in Linux via WINE, place it inside an encrypted VeraCrypt container, copy to any which file sharing service, if I want. It also allows attachments, if needed, you can export lists, even print them. The list of builds for other operating systems is immense:
Sure, Microsoft implementation is bad, you could say. Well, Google's page says Firefox, yay, but then, you also need Bluetooth, and for iOS, you must turn iCloud Keychain. And what if you don't want to use cloud stuff, at all?
Also, notice this, Google's explanation why passkeys are "safer"?
There's this: passkeys can only exist on your devices ... Exactly! A device that is hacked, boom. Passwords can be written down, indeed, and there's no digital protocol in the world that can hack a piece of paper. And let's face it, if someone can show at your door and demand your passwords, you have a much bigger problem anyway.
Then, there's that sentence: it proves to Google that you have access ... No, it does not. It proves that whoever controls the phone has chosen to access the account and is able to unlock it. But hey, we can't be so cynical, can we? We must be happy and optimistic and embrace the future!
And you, dear nerd, you want to embrace the new "modern" solution that effectively means you're forever wedlocked to Microsoft or Google?
Great stuff! Anyway ...
Clickable links. Phishing. Email. Yup, it all goes back to the simple fact the big companies made the email so interactive. Profit-interactive, to be more accurate.
Email is not supposed to be slow chat
When it was conceived, digital mail was simply faster letters, faster information exchange. There wasn't even the "real" Web as we know it back then. You were not supposed to be clicking on links, which would then take you into a webpage in your browser. For that matter, the webmail idea wasn't a thing back then, either.
But then, over time, email became more and more bloated, more opaque. Today, to see whether you received an email from an authentic sender, you need to check SPF, DMARC, DKIM, all sorts of nerdy things that common people can't verify. And that's the thing.
You don't need to know if the email is genuine or not. You simply need the information.
Say your whatever provider sends you an email telling you about something. In an ideal world:
- You read the email. The email is simple text, no HTML, no links.
- You then decide to act upon that email.
- You open your browser.
- You manually navigate to the correct link.
- You login - whatever authentication method.
- You check the information that needs your action.
- If the email is genuine, the information will be there.
- If the email is fake, it won't be. Simple.
Here's a wee example. An email from Netflix, most likely, that is. The reason you don't see any images is because the specific web client is correctly configured not to allow remote content. But this already shows you why modern email is bad. Why would you ever allow remote content to be shown on your local device? Even so, the big red button "View all series & films" is clickable. And that's the major part of the problem. Anyone can design a fake Netflix-like email, send it to random email addresses, and hope someone clicks.
The ideal solution is to sever the link between email and browser, or email and whatever target page you need. The same goes for messenger tools, chat tools, etc. And this way, even if you receive the most sophisticated phishing email in the universe, if there's no way for that email to "take you" to a bad destination, the phishing does not work.
This is already partially implemented. For example, some webmail providers disable links for emails that land in your spam folder. You see, it can be done! The only question is how effectively the providers can detect potential scams.
But there's no reason to waste CPU cycles. Simply disallow links for ALL.
However, doing this "breaks" the "modern" experience. Hence, HTML, hence previews, hence all sorts of modern nonsense SPECIFICALLY DESIGNED to drive engagement, specifically designed to drive profits, to make people succumb to their dopamines.
It is simply more profitable to have a few people fall prey to scams now and then than to potentially ruin an entire stream of revenue by not allowing people to quickly succumb to their impulses.
Only now, there are more and more scams going around. The "AI" facilitates this big time. So we're at the tipping point. If people become hesitant, wary or end up distrusting online services, they might not end up buying useless stuff. Profits go down! Calamity!
The solution is: deflection. Find the scapegoat. Yes, passwords!
And then, creme de la turd, give big companies even more control! Sure, set up a proprietary app on your proprietary phone on which you have limited, rootless control, and let it govern everything for you in a manner so opaque even the techies struggle to fully understand it.
And this is why, friends, you need to say no to passkeys. Because they empower the rotten foundation of the hyperactive modern Internet and give yet more control to the very companies that allowed the current state of affairs to happen.
Conclusion
In some ways, I am scared by passkeys. I'll tell you why. Because they show me how easy it is to win "the hearts and the minds" of the techbros, yet again and again, as if we don't have enough examples already that pretty much anything "Web and modern" isn't good for us. It's like Google changing their motto. I remember, back in the day, having conversations with people who would tell me "Google are good guys because their motto". And when the motto changed, they suddenly became depressed. This idealism among nerds and geeks is what allows big companies to push profit-focused solutions in the guise of humanity's greatest benevolence.
This is like watching a slow train wreck in UHD. I mean think about. If someone says: "you need your phone to be able to do that". Isn't that already enough of a red flag? I mean seriously. Forget about the fine technical details. Cool, you're excited, you love technology, so do I. But if it has the word "phone" in the chain, simply say no. That's all there is to it really. The modern Web is pure cancer. Why would you allow even more of it into your lives? Because of the "scary" hax0rs trying to hax0r you?
Are you willing to trade every shred of your privacy and flexibility over a remote chance you might one day input your password and MFA token into a fake site? How likely is that? But what about the lifelong digital slavery you are going to willingly subject yourself ALL THE TIME to in order to "protect" yourself from the "bad" guys? And this is THE scary part. That people are going to voluntarily give up their freedom, just not to be "afraid". Well, be afraid. You should be! The fear will keep you alert. Every time you log in somewhere, think: "Am I being hax0red right now?" Great. Fantastic. Stop. Think. Don't succumb to the impulse. That attitude will keep you safer than any technological solution. Fear is the price of freedom. Always has been. And we're done here fellas.
P.S. The index page thumbnail image by Friedrich Haag, from Wikimedia, CC BY SA 4.0.
Cheers.