Tech Graveyard/authentication
The Password (1961 to Dying)
I built a CIAM platform that handled 200 million password resets a year. Even from inside the industry, I missed how fast passkeys would flip the model.
Born 1961 · Still dying · Status: dying
Certificate of Death
Name of decedent
The Password
- Born
- 1961
- Died
- —
- Age
- 65+
Cause of death
Apple, Google, and Microsoft simultaneously defaulted to passkeys
Survived by
Passkeys, WebAuthn, FIDO2, platform authenticators
Invented by
Fernando Corbato, MIT Compatible Time-Sharing System
The hook
81% of data breaches still involve credential compromise. The password did not fail because it was bad. It failed because something easier finally arrived.
Thesis. The password held on for 63 years through pure inertia. Passkeys did not win by being more secure. They won by being faster to use than the password they replaced.
The story
The origin
Fernando Corbato's CTSS at MIT, 1961. Passwords were a quick hack to keep users from reading each other's files on a shared mainframe. Not designed for the internet. Not designed for 100 apps per person.
The expansion
Every app that came after just copied the pattern. By 2000 the average user had 25 passwords. By 2020, more than 100. The model scaled out of the conditions it was designed for, and nobody fixed the primitive underneath.
The failed fixes
Complexity rules, rotation policies, password managers, breach databases. Each made the user experience worse without solving the underlying problem. The industry spent two decades polishing a primitive that could not be polished into safety.
The pivot
May 2022. FIDO Alliance announces platform alignment. Apple ships passkeys in iOS 16. Google ships them in Chrome 108. Microsoft ships them in Windows 11. Three platform owners default to the same replacement at the same time, which has happened maybe twice in computing history.
The death certificate
By 2025 new consumer apps default to passkey signup. Amazon and Best Buy ship passkey-only flows. Enterprise lags 24 to 36 months behind consumer adoption, as it always does. Final breath is projected for 2030 in consumer, 2032 in enterprise, later in regulated industries.
Key data points
- First password: MIT CTSS, 1961 (Fernando Corbato)
- Verizon DBIR: around 80% of breaches involve credentials
- Apple passkey support announced: WWDC June 2022
- Amazon passkey-only signup option: launched 2024
- FIDO Alliance certified deployments: more than 1 billion by 2024
Contrarian angle
The security community spent 20 years trying to make passwords better. The win came from accepting they could not be fixed and starting over.
The flip side
What replaces it
The paired prediction in Future Tech.
Read the predictionFAQ
When did passkeys actually surpass password adoption?
Adoption is still being measured, but new-signup flows at major consumer apps flipped to passkey-first in 2024 and 2025. Existing-account migration trails new signups by 18 to 24 months.
Why didn't password managers solve this?
Password managers made the worst part of passwords (typing them) bearable without fixing the underlying problem (shared secrets that get phished, breached, and replayed). They were a workaround, not a replacement.
Are passwords actually dead or just dying?
Dying. Dead is the wrong word until the bottom 50% of websites migrate, which will take until 2030 in consumer and longer in regulated industries.
Is biometric auth the same as passwordless?
No. Biometrics unlock the passkey on your device, but the credential exchanged with the server is a cryptographic key, not your fingerprint. The biometric never leaves the device.
More from guptadeepak.com
Want the technical deep-dive on what replaces this?
Read the companion articleRelated obituaries
More from the authentication graveyard.
2011 — Dying
DyingSMS-Based MFA
The most cited example of cybersecurity inertia. NIST deprecated SMS MFA in 2017. It took SIM-swap attacks on Coinbase and Twitter founders to force action.
Cause: SIM-swap attacks on high-profile accounts forced regulatory action
authentication · Peak 2018 · Final breath 2027
-1000 — Dying
DyingThe Wet-Ink Signature
I spent a career building consent into software, and the whole time the legal system ran on a squiggle a child could forge. The wet-ink signature was security theater that lasted three millennia. It is finally dying.
Cause: Remote work and digital contracts made physical ink impractical, and e-signature was both faster and more verifiable. Cryptographic signing then made the handwritten mark legally and technically redundant.
authentication · Peak 1990 · Final breath 2030