The traditional password, long the backbone of online security, is facing growing pressure from more advanced login methods such as fingerprints, facial recognition, and digital access keys. Yet despite the push from major technology companies, public skepticism and usability challenges are slowing the transition.
In a July blog post, two senior Microsoft executives declared that “the password era is ending,” noting that the company has been developing more secure login alternatives for years. Since May, Microsoft has offered these options by default to new users. Other platforms, including popular online services like ChatGPT, have incorporated extra verification steps—such as sending numerical codes to a registered email address—to safeguard sensitive data.
Cybersecurity experts argue that passwords are increasingly inadequate. “Passwords are often weak and people re-use them,” said Benoit Grunemwald of Eset, adding that sophisticated hackers can crack short passwords in seconds. Stolen passwords also remain a prime target in data breaches, often due to poor storage practices by the very companies meant to protect them.
In June, researchers from Cybernews uncovered a staggering database of around 16 billion login credentials collected from past hacks, underscoring the vulnerability of password-based systems.
In response, industry heavyweights including Google, Microsoft, Apple, Amazon, and TikTok have united under the Fast Identity Online Alliance (FIDO) to promote password-free authentication. Their preferred solution—passkeys—uses a separate device, such as a smartphone, to authorize logins via biometric inputs like a fingerprint or a face scan, or with a PIN code.
Troy Hunt, founder of the breach-tracking site Have I Been Pwned, noted that passkeys offer a significant security advantage: “With passkeys, you cannot accidentally give your passkey to a phishing site.” However, Hunt also cautioned that similar predictions about the “death of passwords” have been made for over a decade, yet the number of passwords people manage has only grown.
The transition to passwordless systems is far from seamless. Many smaller websites still rely on basic username-password combinations, and for users, passkey setup can be confusing. Recovering access after losing a device or forgetting a PIN is also more complicated than a simple password reset.
“The thing that passwords have going for them, and the reason that we still have them, is that everybody knows how to use them,” Hunt said.
Ultimately, experts warn that while passwords may fade, human behavior will remain a key security risk. “People will have to take good care of security on their smartphones and devices, because they’ll be the things most targeted in future,” Grunemwald said.
