Back

Passkeys are stupid. Embrace passwords.

2025-07-10

Disclaimer 1: This is not a diss against anyone, especially the developers working on passkeys. The tone of the post may seem sarcastic or even hostile. It’s just the way words are coming to me right now.

Disclaimer 2: This is my opinion at the time of writing. It can change. I’m not a genius, but I’m smart enough to understand that I may be wrong.

Passkeys are the most retarded thing the tech industry has pushed recently with companies like Microsoft making it increasingly difficult even to create password-based accounts (article on Forbes).

Instead of the “promised” solution of a secure alternative that provides a better user experience than passwords, passkeys are an overly complicated cryptographic solution that breaks basic portability and user autonomy. UX is worse than passwords. It assumes people are only using Apple devices or the same browser under the same account. Recovery is a nightmare. What happens when you lose access to your Apple account? You're potentially locked out of everything, creating a single point of failure that's worse than the problems passkeys were supposedly intended to solve.

On the other hand, the email + password combination is effective. A simple, straightforward solution with an easy recovery mechanism. They work everywhere - on any device, any browser, and any platform. No sync dependencies on Apple/Google/Microsoft.

Passkeys were created as a solution to phishing. And, yes, phishing is a significant problem. This is why password managers exist. Password managers work seamlessly across all platforms, giving users complete control over their data. They solve the security problem without creating new usability problems. In addition to their core functionality of keeping your credentials safe and offering a simple way to have different passwords for every account, small UX improvements, such as not autofilling credentials on fake sites because they're domain-locked, make them an even better and, maybe, required solution.

All in all, rebuilding authentication from scratch and making it dependent on proprietary ecosystems is not the solution to phishing.

I would love to hear your thoughts. As I said, these are my current ideas and are subject to change. You can find me on Twitterand Farcaster.