• 01 — The Tyranny of Passwords
• 02 — The Idea That Changes Everything
• 03 — Passwords vs. Passkeys
• 04 — Bitcoin and Nostr Already Knew This
• 05 — Who Is Already Implementing It
• 06 — What Is Still Not Resolved
• 07 — What This Actually Means
• What to Do Today

After decades of dominating the internet, passwords are being replaced by technology the crypto world has known for years. What passkeys are, how they work, and why this changes everything.

Have you ever spent five minutes trying to remember the password for a service you use twice a year? Reset a password, created a new one impossible to memorize, written it in your phone’s notes app, and then felt vaguely guilty about it?

Welcome to the permanent state of digital security for billions of people. The password — that invention from the 1960s — still governs the internet in 2025. But its days are numbered.

§01 — The Tyranny of Passwords

Fernando Corbató, a researcher at MIT, invented passwords in 1961. The system needed to separate files from different users on a shared computer. The solution: each person chose a secret word. Simple. Functional for a dozen researchers in a university lab.

Corbató lived to 93 and admitted, before he died, that passwords had become a “nightmare.” He himself used a printed list to remember his own. The inventor of the password could not manage passwords.

The problem is mathematical. The average adult has between 70 and 200 online accounts. A strong password requires at least 12 characters — uppercase, lowercase, numbers, symbols. The number of possible combinations is astronomical. But the number of passwords the human brain can reliably memorize is estimated at around five.

The result is predictable: massive reuse. Security reports consistently point to stolen, weak, or reused credentials as one of the leading causes of account compromise — year after year, without exception.

These are not failures of sophisticated systems. They are structural human failures, built into the design of the system itself.

§02 — The Idea That Changes Everything

To understand passkeys, you need to understand a concept that looks like magic at first glance.

Imagine a special lock that works in reverse. You manufacture this lock and distribute copies to anyone who wants to send you a message. Anyone can close the lock — but only you, with the original key, can open it.

The lock is the public key. The key only you hold is the private key.

In practice: the private key is protected by the device’s secure hardware. In many cases, encrypted versions can be synchronized between authorized devices to facilitate recovery and use. The public key goes to the service’s server. It can be compromised — and it is mathematically useless to an attacker.

When you log in: the server sends a challenge (a random number). Your device signs that challenge with the private key. The server verifies with the public key. If it matches — access granted. No password was transmitted. Nothing to intercept. Nothing to steal.

§03 — Passwords vs. Passkeys

Traditional password: transmits the secret itself — can be intercepted, stolen in data breaches, reused across services, vulnerable to phishing, and depends entirely on human memory.

Passkey: transmits only a unique mathematical signature, generated at the moment of login. There is no secret to intercept. Server breaches are useless — the public key cannot be used to log in. Passkeys are highly resistant to phishing because they only work for the correct domain — they do not work on fake sites. The user memorizes nothing — authentication uses biometrics or the device PIN.

The difference is not one of degree. It is one of model.

§04 — Bitcoin and Nostr Already Knew This

Here is the ironic detail few people mention: the cryptography being presented as an innovation for mainstream users has been the backbone of Bitcoin and Nostr for over a decade.

Bitcoin: The private key controls the funds. The public key is the address. Every transaction is a cryptographic signature.

Nostr: The nsec is the key that controls your identity. The npub is the public representation of that identity. Every note you publish is a Schnorr signature.

Passkeys (WebAuthn): The private key lives in the device hardware. The public key lives on the server. Every login is an ECDSA or Ed25519 signature.

The algorithms are practically the same. The concept of “you control the key, you control the identity” is not new — it has been a cypherpunk axiom since the 1990s.

The critical difference is abstraction. In Bitcoin, you store a 12-word seed phrase. In Nostr, you manage an nsec. In both, losing the private key means losing access permanently. With passkeys, the system manages this for you — iCloud Keychain, Google Password Manager, and Windows Hello sync and back up keys automatically.

It is like taking Bitcoin’s robust security and wrapping it in an interface anyone can use.

If you already use an nsec to sign your notes on Nostr, you already understand passkeys intuitively. The difference is that the hardware handles everything — without you ever needing to see or touch the key.

§05 — Who Is Already Implementing It

• 2022 — Apple launches passkeys in iOS 16 and macOS Ventura.
• 2022 — Apple, Google, and Microsoft announce a joint commitment to implement the standard. The industry stops and pays attention.
• 2023 — Google makes passkeys the default for personal accounts. Over 2 billion users. Passkey logins are 40% faster than password + SMS 2FA.
• 2023 — GitHub enables passkeys for all users.
• 2024 — WhatsApp, X, PayPal, Shopify adopt passkeys. The technology crosses into the mainstream.
• 2024 — 15 billion accounts protected by passkeys worldwide, according to the FIDO Alliance.

§06 — What Is Still Not Resolved

The technology is solid. The problem, as always, is human and systemic.

Account recovery. With a password, if you forget it — reset via email. With a passkey, if you lose all your devices without a configured backup, recovering access can be difficult. Automatic backups through iCloud and Google Password Manager solve most cases, but no universal standard exists yet.

Closed ecosystems. Passkeys in iCloud work seamlessly across Apple devices. Moving to Android is still cumbersome. The FIDO Alliance is developing a portability standard (Credential Exchange Protocol), but it is not yet widely implemented.

Real custody or managed comfort. This is the tension the Bitcoin world knows well. When your passkey is synchronized through iCloud or Google, you become dependent on those companies’ infrastructure for recovery and credential management. The private key is synchronized in encrypted form — Apple and Google technically cannot use it directly — but the user is still inside a system they do not fully control.

This does not invalidate the technology. But it raises the same question the cypherpunk world always asks: real control, or managed comfort?

§07 — What This Actually Means

Corbató invented passwords to separate files in a university lab. He never imagined that, 60 years later, the same provisional solution would be protecting — or failing to protect — banking operations, medical records, and digital identities for eight billion people.

Passkeys are not a stronger password. They are the acknowledgment that the password model no longer scales well to the modern internet. That asking a human to be the security layer of a cryptographic system is like using a copper wire as a fuse — it technically works, until the moment it fails catastrophically.

The transition will not be fast or clean. There will be years of coexistence. There will be users who never migrate, services that never implement. But the direction is set. The physics of the problem do not change.

At some point, someone will try to explain to a child what an internet password was. That people memorized strings of characters and typed them into a text field to prove they were who they claimed to be. And the child will look back with the same confusion a young person today feels when they see a cassette tape.

The future of authentication is not something you know. It is something you control.

§What to Do Today

1. Enable passkeys on Google: myaccount.google.com → Security → Passkeys
2. On iPhone (iOS 16+), passkeys are already active — any compatible site will offer the option automatically
3. Enable passkeys on GitHub: Settings → Password and authentication → Passkeys
4. Verify that backup is active: iCloud Keychain (Apple) or Google Password Manager (Android)
5. Register a second device as backup for critical services
6. Visit passkeys.directory to see which services already support it

Sources: FIDO Alliance, Google Security Blog, Verizon Data Breach Investigations Report 2024, MIT Technology Review

#Bitcoin #Nostr #Privacy #Security #Passkeys