Passkeys and Passwordless Login: Why Shared Secrets Are the Problem Artwork

Plaintext with Rich

Cybersecurity is an everyone problem. So why does it always sound like it’s only for IT people?

Each week, Rich takes one topic, from phishing to ransomware to how your phone actually tracks you, and explains it in plain language in under ten minutes or less. No buzzwords. No condescension. Just the stuff you need to know to stay safer online, explained like you’re a smart person who never had anyone break it down properly. Because you are!

All Episodes

Plaintext with Rich

Passkeys and Passwordless Login: Why Shared Secrets Are the Problem

January 09, 2026 • Rich Greene • Season 1 • Episode 7

0:00 | 8:39

You don't lose access to an account because someone knows your name. You lose access because they reused something you were told to keep secret. For years, the internet has worked on copying secrets and then acting surprised when copies escape.

This episode breaks down passwordless authentication and passkeys, explaining why the shift away from typed passwords isn't innovation hype but an industry admission that shared secrets have become a liability. It covers what passkeys actually are (cryptographic keys that never leave your device), why they're considered phishing-resistant (your device checks where it's talking, not just what you typed), and the real tradeoffs including device dependency and the critical importance of account recovery paths. The episode walks through the security benefits of removing reuse, phishing, and credential stuffing from the equation, then closes with a six-step starter kit covering core account protection, passkey adoption, strong MFA for non-passkey sites, recovery lockdown, password manager use, and device loss planning.

Whether you've seen "create a passkey" on a login screen and weren't sure what to do or you're evaluating passwordless options for your organization, Plaintext with Rich explains the shift.

Is there a topic/term you want me to discuss next? Text me!!

YouTube more your speed? → https://links.sith2.com/YouTube
Apple Podcasts your usual stop? → https://links.sith2.com/Apple
Neither of those? Spotify’s over here → https://links.sith2.com/Spotify
Prefer reading quietly at your own pace? → https://links.sith2.com/Blog
Join us in The Cyber Sanctuary (no robes required) → https://links.sith2.com/Discord
Follow the human behind the microphone → https://links.sith2.com/linkedin
Need another way to reach me? That’s here → https://linktr.ee/rich.greene

Why Passwords Keep Failing

SPEAKER_00 0:00

You don't lose access to an account simply because someone knows your name or your username. You lose access because they reuse something you were told to keep secret. For years, the internet has worked on copying secrets and then acting surprised when copies escape. Welcome to plain text with Rich. Today we're talking about passwordless authentication and pass keys. Let's start with a simple question. Why do passwords keep failing? Well, not occasionally, not in edge cases, constantly. Passwords fail because they depend on human behavior staying perfect in a system designed for scale. When we have this, people reuse them. They simplify them. They get tricked into typing them where they shouldn't. Companies store them badly, databases get copied, attackers automate everything. And once a password exists, it can be reused forever unless we get rid of it. That's the core problem. And when stolen passwords get tried across dozens of sites automatically, that pattern has a name, credential stuffing. Now, the easy way to explain credential stuffing really is someone steals a list of email and password pairs and then simply checks where else those combination works. Often it does work more than once. So when you hear the industry talk about passwordless, this isn't innovation hype, it's an admission. Typing a shared secret into a website has become a liability. So what does passwordless actually mean? It does not mean no security, it does not mean trust vibes, and it does not mean everything suddenly becomes simple forever. Passwordless means you're no longer proving who you are by sharing something memorized or reusable. Instead, you prove identity using a device and cryptography. Usually that looks like a combination of something you have, like a phone or a security key, and something you are like a fingerprint or a face scan. The password stops being the center of gravity, and the most common version of this today is called a pass key. So, what is a pass key? Again, in plain text, a pass key is a login method that uses cryptographic keys instead of a typed password. Now here's the important part. Your device creates a private key. That key never leaves your device. You may be familiar with the private public key pairs we discussed in a previous episode. The website stores a matching public key. That public key is useless by itself. When you attempt to sign in, your device proves it has the private key without ever revealing it. No shared secret, nothing reusable, nothing for a fake website to steal. That's the shift. If you were to land on a phishing page, your device won't authenticate because the cryptographic match fails. The system checks where it's talking, not just what you typed. That's why pass keys are often considered phishing resistant. Not because they're magical, but because they remove the thing phishing relies on. So why should we care? Because pass keys quietly fix multiple problems at once. First, phishing drops dramatically. If there's nothing to type, there's nothing to steal. Second, password reuse disappears. You never create a password in the first place. Third, our logins get faster. Usually it's a tap, a glance, and you're in. And fourth, support issues shrink. Fewer resets, fewer lockouts, fewer hijacked accounts. This matters because security that adds friction, it doesn't scale well, right? Security that removes friction does. That's why pass keys are spreading faster than most security upgrades ever have. Now let's slow down and be honest. While passwordless is better, it is not perfect. There are trade-offs. The biggest one, honestly, is device dependency. If you lose your phone or replace a device, recovery matters. Which leads to the real attack surface here, which is account recovery. When attackers can't guess a password, they aim for resets, support calls, backup emails, weak recovery questions. Passwordless doesn't remove that risk, it concentrates it. So recovery paths need just as much attention as login paths. Another reality is going to be coverage. Not every service supports pass keys yet. We're in a transition period, if you will. Some accounts will be passwordless, some will still use passwords plus, say, multi-factor authentication. This is a hybrid world, and that is perfectly normal. So, as always, let's make this just a little bit practical, right? I try to keep it to four things. Step one, protect your core accounts. As always, email is going to come first. Then think about it: Apple, Google, Microsoft account, password managers, financial accounts, all of those things. Email is the reset button again for your digital life. If someone controls it, they potentially control everything else. Step two, enable pass keys where they're offered. If you see the option create a pass key or sign in with a pass key, use it. Don't be scared of it. Embrace it. You can usually keep a password as backup during the transition. That's fine. Step three, keep strong multi-factor authentication where pass keys aren't available. Prefer authenticator apps or hardware keys. Avoid SMS when you can, but if it's your only option, I still recommend doing it. Again, this is about layering, not purity. Step four, lock down account recovery. Check your recovery emails, your phone numbers, your backup codes, your trusted devices. Make sure recovery points back to you and you actually have access to those accounts, especially if they're older accounts that maybe you don't remember how you enabled the recovery setup. Passwordless fails if recovery is still wide open. We do have another two steps. First stability, right? Step five, keep using a password manager for non-pass key sites. Some password managers allow you to use and store pass keys, right? They won't auto-fill on fake pages, which again, it adds phishing resistance today. And step six, plan for some type of device loss. Have more than one trusted device if possible. Store recovery code securely, probably not on said device, right? Not in your inbox, not on a sticky note. As always, preparedness beats panic every single time. A few myths that might exist. Myth one, passwordless means nobody can break in. The reality is it removes entire classes of attacks, especially phishing and reuse. It doesn't mean it can never happen. Myth two, websites store your biometrics. The reality here is biometrics typically stay on your device. Sites get cryptographic proof, not really your fingerprint itself. Myth number three, this is too complicated. The reality here is daily use is simpler than passwords. The complexity, honestly, is the planning recovery. That becomes the complex portion. If we were to look at this as a plain text recap, passwords fail because they're shared secrets. Pass keys replace that model with proof instead of disclosure. You don't hand over a key, you prove you have one. If you take one action this week, make it this. Enable pass keys on your email and core accounts and harden the recovery. That single change, or really two changes, removes more risk than memorizing another strong password. Ever will. Now, if there's a security topic you want broken down in plain text, please send it my way. Email, DM, drop in the comments, carrier pigeon. However, you choose to reach out to me, I will read it and I will respond. If this episode helped at all, please share it with someone who'd actually benefit. This has been Plain Text with Rich. 10 minutes or less, one topic, no panic. I'll see you next time.