Passkey Adoption is Too Slow

We recently hit a milestone in the world of digital security: 200 companies are now using passkeys instead of traditional password systems. It’s progress, sure, but to me, it’s not exactly fireworks-worthy. Frankly, it feels like we should be much further along.

I’ve heard from many in my audience — a group of smart, tech-savvy folks — and yet, there’s hesitation. People are leery about passkeys. The idea of leaving behind the trusty (if flawed) username and password combo still feels risky to some. That’s understandable; we’re in a strange transitional phase where trust in the new system is still being earned, and the old system isn’t quite dead yet.

Right now, a lot of companies are hedging their bets. They implement passkeys but keep the traditional username and password system alive “just in case.” While that might sound like a good compromise, it actually introduces new risks. Let me explain.

When a site offers both options, it creates a tempting target for bad actors. Imagine this: You try to log in with your shiny new passkey, and a fake prompt tells you it failed. Next thing you know, you’re asked to log in with your password instead. Guess what? You just handed over your credentials to the bad guys.

By maintaining the old system alongside the new one, we’re essentially giving attackers two doors to try. It’s like installing a state-of-the-art security system but leaving the back door unlocked “just in case.”

Then there’s the trend of bypassing passwords entirely in favor of email-based authentication. At first glance, it seems simple and clever: “Just click the link we emailed you.” But email isn’t exactly a fortress of security. If someone compromises your email account, they’ve got the keys to the kingdom.

This trend feels like a half-step solution. It’s better than nothing, but it’s not the robust answer we need in the long term.

Passkeys, when implemented correctly, are a huge leap forward. They’re designed to be more secure and easier to use. They’re phishing-resistant, for one thing. A hacker can’t trick you into handing over a passkey the way they can a password. And they take advantage of the biometric and secure enclave tech built into our devices, which is vastly more secure than anything we’ve relied on before.

We’re in this awkward adolescence of digital security. But getting to the point where passkeys are the norm will take a concerted effort. Companies need to be all-in, not straddling the line. Users need better education about how passkeys work and why they’re safer. And the tech industry as a whole needs to push forward faster.

Right now, everything about passwords and passkeys feels a little brittle. The sooner we can move to a world where passkeys are ubiquitous and properly implemented, the better off we’ll all be. Until then, stay vigilant, stay informed, and don’t forget to lock the back door.

Apple Claps Back

Those Terrible Passwords Aren’t Getting Any Better

NordVPN recently released its annual list of commonly used passwords, and (surprise, surprise!) not much has changed. What’s truly baffling is how many folks still rely on this digital equivalent of leaving their front door wide open. The most common password is “123456” but fear not, “password” is still in there at number four.

If you’re reading MacSparky, you probably already use a password manager and strong, unique passwords. But if you know someone who doesn’t, please share this with them. Their accounts are far more vulnerable than they realize.

And there’s no excuse anymore. Apple users don’t even need a third-party solution: The built-in Passwords app starting with macOS 15 (Sequoia) and iOS 18 and newer generates, stores, and auto-fills strong passwords for free. It’s right there in your Applications folder (App Library on iOS), waiting to help.

Remember: If your password is easy for you to remember, it’s probably easy for others to guess.