For most of us, logging in has always meant typing a password. It’s familiar and simple, and let’s be honest, deeply flawed. Passwords are reused, guessed, stolen and sold. They’ve become the soft spot in our digital lives, and attackers know it.

The 2024 Verizon Data Breach Investigations Report highlights what security teams already know — most breaches still begin with stolen credentials. Typed secrets are easy to steal and endlessly reused, and entire criminal economies thrive on them.  

Currently, the industry is rushing toward a new paradigm. Passkeys built on the FIDO2 and WebAuthn standards are pitched as the passwords’ final successors.

They replace guessable strings with cryptographic keys that never leave the device, delivering phishing-resistant logins that are faster and more reliable. 

Apple, Google and Microsoft are all championing this model, and early adoption metrics suggest the benefits are real: Higher login success rates, fewer resets and measurable drops in account takeovers. 

However, in our rush to replace passwords, we risk losing something they quietly gave us: Portability, control and a last-resort way back in. Passkeys solve the login problem, but recovery is a different story. That’s where we need to think carefully. 

When the Password Dies, What Takes Its Place? 

The flaws of passwords are obvious, but they solve two problems that remain unsolved at scale. First, passwords provide portability. They stay in your head, not in the custody of an operating system vendor or cloud service. Second, they provide a crude but universal recovery method. Lose your devices, and you could still reconstruct access with that memorized string. 

Passkeys, for all their strengths, struggle here. They usually synchronize within a single platform, Apple’s iCloud Keychain, Google Password Manager, Microsoft Authenticator. That’s convenient, but it creates a monoculture of custody. When all devices are lost, recovery becomes an identity-proofing problem, not just a technical one. National Institute of Standards and Technology (NIST)’s latest guidance warns that recovery, not login, is where systems most often fail. 

If we ‘kill’ passwords without addressing these truths, we risk replacing one systemic weakness with another. 

Passkeys and the Illusion of Convenience 

The advantages of passkeys are undeniable. Unlike one-time codes sent by SMS or push notifications that can be phished into approval, passkeys are resistant to look-alike domains and man-in-the-middle attacks. Regulators have already begun recognizing the distinction between multi-factor authentication and phishing-resistant authentication. 

Performance also matters. Microsoft reports success rates near 98% for passkey-based logins, with almost a million new passkeys registered daily.

Businesses, long haunted by abandoned checkouts and forgotten passwords, witness not just security benefits but economic ones too.

In academic terms, passkeys achieve what Joseph Bonneau and colleagues described in The Quest to Replace Passwords — high scores across usability, deployability and security — the trifecta no prior method has managed.  

For the everyday login experience, the verdict is clear: Passwords deserve retirement. 

Why Passwords Still Matter 

What’s less clear is how we engineer the safety net. Most people rely on cloud-synchronized passkeys, but that centralization creates lock-in. 

Industry groups are working on portability standards; however, until they become universal, switching custodians remains risky. 

Recovery is even thornier. If a user loses all devices, recovery pathways must balance usability with fraud resistance. Too often, services fall back on SMS or email links, methods NIST explicitly warns against. As Gene Spafford once argued in his writings on security and human factors, the weakest point is rarely the math but the human workflow surrounding it. True resilience requires layered strategies, second hardware keys, social recovery through trusted contacts and delayed re-enrollment ceremonies that introduce friction only during a crisis. 

Here lies the paradox to build a truly passwordless future. We must reimagine the password’s old role not as a front-door key, but as part of a deeper constitutional layer of identity. 

Building a Recovery Constitution for Identity 

Think of digital identity as a republic. Day-to-day administration should be handled by passkeys, fast, simple and phishing-resistant. 

But a constitution is needed for emergencies. That constitution can take the form of offline recovery seeds, sealed hardware tokens or threshold cryptography schemes that divide control across multiple custodians. 

The point is not to keep passwords alive as daily annoyances, but to preserve their hidden value, sovereignty and continuity. Just as a constitution sits quietly in the background until crisis strikes, so too should our evolved recovery systems. 

Envisioning a Resilient Authentication Future 

The debate has often been framed as binary: Either kill passwords or evolve them. But the better question is where secrets should live, and how should they move? In the flow, they should disappear into cryptographic keys that only exist on devices we control. In recovery, they should be diversified, auditable and safeguarded by plural custody. 

If we adopt this layered view, the password box on websites can finally vanish. Yet the principle of a portable, sovereign backstop remains. In this future, passwords don’t dominate our daily logins, but neither are they consigned to oblivion. They are constitutionally rarely invoked, tightly constrained, but essential for resilience. 

The best path forward isn’t to kill passwords outright; it’s to evolve their role. 

Use passkeys for what they do best. Build recovery systems that reflect the complexity of real life. Additionally, preserve the values passwords carry, even as their form changes. 

Passwords deserve to die in the flow. However, in the constitution of digital identity, they may be more alive than ever.