The Password Is Dead. Long Live the Passkey.

Today marks World Password Day—but if you ask Ashish Jain, CTO of OneSpan, we should be calling it something else entirely. “World Passkey Day is a reminder that the future of authentication is here – and it's passwordless,” said Jain.

It’s an ambitious claim, but one that’s gaining momentum. For decades, passwords have been the shaky linchpin of digital security: easily guessed, frequently reused, and often stolen. Despite repeated warnings, “123456” and “password” stubbornly top the charts of breached credentials year after year. In 2024 alone, more than 5 billion credentials were exposed online, according to cybersecurity firm Surfshark.

The rise of passkeys offers an escape route from this vicious cycle. Unlike passwords, which rely on shared secrets between users and websites, passkeys use cryptographic keys stored securely on your device. There’s no secret to steal; nothing to phish. Login attempts are verified by your device itself—often using a biometric like a fingerprint or Face ID—meaning attackers can’t simply snag a password from a phishing email or data breach and waltz into your account.

“Passwords have long been a point of vulnerability, often leading to breaches and user frustration,” Jain says. “Passkeys represent a meaningful step toward improving both security and usability, moving us closer to a more resilient digital infrastructure.”

That future is arriving faster than many expected. In 2022, Apple, Google, and Microsoft jointly committed to adopting the FIDO (Fast Identity Online) passkey standard across their platforms. By late 2023, passkey logins were already rolling out on Chrome, Safari, Edge, and Android, with adoption quietly accelerating into 2025. Google alone reported more than 400 million passkey uses by early this year.

Beyond convenience, the security gains are profound. “FIDO passkeys take traditional authentication a step further by using cryptographic credentials stored on a user’s device, ensuring both identity verification and security,” Jain explains. This decentralized approach sidesteps a critical weakness of passwords: central storage. Even if a website’s servers are compromised, there’s no password database to steal.

In high-risk sectors like banking, this shift is more than an upgrade—it’s a necessity. “Passkeys are especially valuable in securing high-risk interactions like financial transactions, where strong, phishing-resistant authentication is critical,” Jain says.

But transitioning to a passwordless world isn’t as simple as flipping a switch. Enterprises must integrate passkey support across legacy systems. Consumers need education and reassurance. And there’s the thorny challenge of interoperability: ensuring a passkey registered on an iPhone works seamlessly on a Windows PC or Android tablet.

Despite the hurdles, momentum is undeniable. The shift is not just about stronger security—it’s about removing friction for users and finally retiring a security relic that was never meant to protect the digital lives we lead today. “As the adoption of passkeys grows, I’m confident they will be key to transforming how we protect our most sensitive online interactions,” Jain says.

On World Password Day, it’s worth asking whether the era of passwords is finally nearing its end—or whether next year we’ll be celebrating something entirely different: a world without them.