ThinkableWhat is this?

Cryptography & Security

You Are Not Your Password: The Quiet Crisis of Online Identity

Every time you prove who you are online, you're doing something that would have seemed like magic 50 years ago — and something that is, quietly, broken.

The Idea

Identity is one of the oldest problems in human society, and for most of history, we solved it with context: you knew people, they knew you, and trust was embedded in community and proximity. The internet dissolved that context entirely. When you log into a service, you are a stranger talking to a machine, and the machine needs some way to believe you are who you claim to be. The solution we settled on — passwords — was always a kludge. Passwords are a shared secret: you know it, the server knows it, and that shared knowledge is supposed to prove identity. But shared secrets are fragile. They can be stolen, guessed, reused, or leaked in bulk when companies suffer breaches. The real problem isn't that people choose weak passwords; it's that the whole model asks you to prove identity by demonstrating knowledge, and knowledge can always be taken from you without you knowing it's gone. What's genuinely interesting is that cryptographers have known better approaches for decades. Public-key cryptography, for instance, lets you prove who you are without ever revealing a secret to the other party — you sign something with a private key that never leaves your device, and the other side verifies it with your public key. No shared secret. Nothing to steal from the server's database. The proof of identity stays entirely on your side of the conversation. The reason we're still mostly typing passwords in 2025 is not a technical failure — it's a coordination and incentive failure, which is almost always the more interesting story.

In the World

In September 2022, Apple, Google, and Microsoft all committed to supporting a new authentication standard called passkeys, built on exactly this public-key principle. The timing was not accidental. Just months earlier, Okta — a company whose entire business is identity and whose clients include thousands of corporations — was breached by a group called Lapsus$, which compromised customer support systems and exposed sensitive data for hundreds of organisations. The attacker didn't crack encryption or exploit some exotic vulnerability. They used stolen credentials. A support engineer's account had been accessed via a personal device, and from there the attackers moved laterally through the system. It was an identity failure, not a cryptography failure. Passkeys, by contrast, work like this: when you register with a service, your device generates a cryptographic key pair. The private key stays locked on your phone or laptop — protected by biometrics or a PIN that never leaves the device. The service stores only the public key, which is useless to an attacker without the corresponding private half. When you log in, your device signs a challenge from the server; the server checks the signature against the public key it has stored. There's no password to steal, no database of secrets to breach. Apple's rollout of passkeys across iCloud in late 2022 was the first mainstream deployment of this model at scale — and the early data suggests that phishing attacks, which depend entirely on tricking users into surrendering credentials, are nearly eliminated for accounts protected this way.

Why It Matters

This isn't just a technical upgrade — it represents a philosophical shift in how identity works online. For decades, we've treated identity as something you know. Passkeys reframe it as something you have and something you are: a device paired with a biometric. That shift puts control back on the user's side of the wire, which has real implications beyond convenience. It also reveals something worth holding onto about how technology actually changes: the hard part is rarely the invention. Public-key cryptography was developed in the 1970s. The conceptual tools to replace passwords have existed for most of the internet's life. What changes behaviour is when the friction of adopting a better system finally drops below the friction of tolerating the broken one — and when enough large players coordinate to make the new system the default. The next time you see a 'Sign in with Face ID' prompt, you're not just unlocking an account. You're watching a 50-year-old idea finally getting its moment.

A Question to Ponder

If the technology to make passwords obsolete has existed for decades, what other security problems are we tolerating right now simply because the coordination to fix them feels too hard?

Get a new one of these every morning.

Start learning with Thinkable
One topic like this, every day.Start free