The death of the password has been announced so many times that the phrase has become a punchline among the security professionals who keep having to revive the patient. For two decades, each new scheme that promised to retire the humble string of characters ran aground on the same rocks: it was too clumsy, too proprietary, or it simply was not on enough devices to matter. Yet this time, the people who spent careers rolling their eyes at the obituaries are quietly conceding that the end may actually be near. The reason is not a slogan. It is a technology called the passkey, and by mid-2026 it is on essentially every phone and laptop sold.
A passkey is, in plain terms, a cryptographic key pair bound to your device. When you create one for a website, your phone or laptop generates two mathematically linked keys: a private one that never leaves the secure hardware on your device, and a public one handed to the site. To log in, the site sends a challenge; your device signs it with the private key after confirming you are present — usually with a fingerprint or a face scan. The site verifies the signature with the public key it already holds. At no point does a secret travel across the network, and at no point does the site store anything an attacker could steal and reuse.
Why this time is different
That architecture quietly dismantles the entire economy of password crime. There is nothing to phish, because there is no shared secret to trick out of you; a fake login page gets a signature that is useless anywhere else. There is nothing to leak in a breach, because the site only ever held a public key. And there is nothing to guess, because the private key is a long random number guarded by hardware, not a word you reused across nine accounts. The most common ways people lose control of their digital lives — phishing, credential stuffing, database leaks — simply stop working.
"You cannot phish a secret that never leaves the device, and you cannot leak one the website never had. That is the whole trick, and it is a very good trick."
A security engineer at a European identity provider — interviewed for this articleThe earlier death-of-the-password movements failed because they were islands. A hardware token you had to buy, an app one bank used and no one else, a biometric scheme locked to a single manufacturer. What changed is that the major platform vendors agreed on a common standard and built it directly into their operating systems, then made passkeys sync across a person's devices through their existing accounts. The result is the thing every previous attempt lacked: ubiquity. The replacement is already in your pocket, whether you have noticed or not.
The friction that remains
None of which means the transition is painless. The migration is the awkward part, and it is genuinely awkward. Most services still run passwords alongside passkeys, which means users live in a confusing hybrid where the old login and the new one coexist, and where turning the password fully off remains rare. People are being asked to trust an invisible mechanism they do not understand, which breeds exactly the hesitation that slows adoption.
The harder, unglamorous problem is recovery. A password lives in your head; a passkey lives in your device's hardware and your platform account. Lose the phone, lose access to the account that syncs it, and you can find yourself locked out of your own digital life with no familiar fallback. The platforms have built recovery paths, but they are intricate, they vary by vendor, and they reintroduce some of the very weaknesses passkeys were meant to abolish — because a recovery channel is, almost by definition, a back door. Solving login was the easy part. Solving graceful, secure recovery for billions of ordinary people who will absolutely lose their phones is the work that will decide how complete the victory is.
So the obituary, this time, looks closer to accurate than ever before — but it is an obituary with an asterisk. The password will not vanish on a date; it will fade, account by account, as the friction eases and the recovery story matures. For the first time, though, the thing meant to replace it is not a promise on a conference stage. It is already here, already working, and already quietly logging hundreds of millions of people in without a single character typed.