As the holiday season approaches, families are gathering, which means it's time for tech-savvy individuals to troubleshoot various tech woes their relatives might face. Among the most common headaches is the challenge of securely logging into multiple accounts in an increasingly dangerous digital landscape.

Using the same password for all accounts is tempting due to its simplicity, but in today's world, where data breaches are rampant and phishing schemes are becoming increasingly sophisticated, this practice is fraught with risk. While creating unique passwords for each account is more secure, it often proves nightmarishly complex, especially for those less tech-savvy—looking at you, Uncle Charlie, and his first smartphone.

Enter passkeys—the much-lauded alternative to traditional passwords that have been in the limelight for nearly two years. My initial enthusiasm for passkeys remains, as they present formidable defenses against cybercriminals. So what’s the catch?

Usability vs. Security: The Passkey Conundrum

The foundation of passkeys relies on the FIDO2 specification and its predecessor, WebAuthn, which are impressively designed protocols. However, in practice, as adoption has grown across browsers, operating systems, and various platforms, the promised ease of use has been dampened by the confusing ocean of different workflows and implementations. This reality has led some experts to question whether passkeys truly qualify as "usable security," a term I use to describe security measures that are as intuitive as less secure options.

William Brown, an authentication specialist, notes that the various hurdles users encounter can be frustrating—but none are outright deal-breakers. However, they accumulate to create a less-than-friendly user experience.

To illustrate, logging into PayPal via a passkey on Windows will differ drastically from doing so on iOS or through Edge on Android—and forget about using Firefox altogether! This inconsistency can create a security quagmire for users trying to navigate multiple devices and platforms.

Further complicating matters, when I created a passkey for my LinkedIn account on Firefox, the settings showed it was registered exclusively to Firefox on Mac, even though it worked across all my devices. This inconsistency arises from the rigidity within the browser and website interactions, leaving users scrambling for clarity.

If that wasn’t enough, consider the message displayed when trying to log into LinkedIn on Firefox for Android: it’s unclear whose fault it is when the experience goes awry, and the options presented can mislead the user toward the vendor's preferred settings rather than what best serves their needs.

Too Many Choices, Too Little Clarity

As Brown pointed out, big tech players all seem to have a divided vision for a "correct" user experience, complicating the implementation of passkeys further. Prompts push users towards platform-specific passkey storage without clear instructions on using alternatives.

Alternative scenarios—like attempting to enroll a physical security key on macOS—showcase the frustrating nature of the current implementations. Users are often guided through convoluted paths that prioritize passkeys synced through proprietary services instead of offering straightforward setups for security keys.

Most importantly, despite the hundreds of sites that now support passkeys, none have eliminated the underlying issue: passwords are still required. The capability to revert to phishable credentials acts as a significant vulnerability that undermines the allure of passkeys as a secure alternative.

Christiaan Brandt from Google acknowledged the slow march toward true passwordless authentication, emphasizing that users aren't ready to eliminate passwords entirely. This means that as long as fallback options exist—which often rely on insecure methods like SMS for authentication—many of the advantages that passkeys were designed to offer become mere security theatre.

Is There a Future for Passkeys?

Despite the obstacles, there are promising aspects to passkeys. For enterprise environments—where users possess fewer devices with overlapping software requirements—they can dramatically improve security. Even casual users like Uncle Charlie, who primarily access a few accounts, might find passkeys a convenient upgrade to traditional methods.

However, the main takeaway for anyone seeking to enhance their cybersecurity comes down to this: if password managers haven't yet become a staple in your digital life, consider integrating one now. They enable users to maintain an array of unique, complex passwords. For more tech-savvy individuals, enhancing security measures by opting for multi-factor authentication and security keys can also make a significant difference in protecting against account takeovers.

In summary, while passkeys offer an innovative approach to secure access, the surrounding confusion and reliance on traditional passwords must be addressed for their full potential to be realized. Are we ready for a future free from passwords, or are we still navigating the pitfalls of a half-baked solution? The answer may well depend on how effectively we can adapt our security practices in the rapidly evolving digital landscape.