From Passwords to Passkeys

A partially accurate historical account on how we finally arrived at passkeys as the ultimate solution to accessible and secure authentication from simple passwords.

Scene from the movie WarGames (1983)

• 1961: A group of researchers at MIT releases CTSS, the first password-based, multi-user time-sharing system due to long queues in front of the only keyboard in the entire department.
• 1961: password used as password for the first time.
• 1961: First account hacked.
• 1967: Barclays Bank in UK introduces the first ATM (Automated Teller Machine). Initially slated to use 6-digit PINs, but ends up with 4-digit PINs because 6-digits were considered too hard to remember[1].
• 1968: Roger Needham theorizes one-way encryption that will eventually become what's known as "hashing". It becomes a breakthrough that has led us to inventions like BitTorrent and monkey NFTs.
• 1969: The first Man in the Middle is born.
• 1974: Robert Morris introduces salting to hashes to store passwords to make hacking slightly more annoying.
• 1978: Alice and Bob born to separate families in rural Atlanta.
• 1982: First time, someone discovers the best password, and decides to use it everywhere.
• 1983: The movie WarGames released, warning the public about the dangers of weak passwords and chess.
• 1985: Sun Microsystems invents "password shadowing" that moves password hash data that was stored in /etc/passwd to another file, aptly named shadow, in the same directory, so hackers will never find it. Morgan Freeman would later calmly state that hackers, in fact, have found it.
• 1985: Zero-knowledge proofs theorized by a group of unknown people.
• 1989: Tim Berners-Lee invents the World Wide Web. This has made a lot of people very angry, and been widely regarded as a bad move[2].
• 1990: Ron Rivest (the "R" of RSA) releases the hashing algorithm MD4.
• 1991: Gillette releases MD5.
• 1992: First SMS sent.
• 1992: First person left on read.
• 1993: Ari Luotonen at CERN invents HTTP Basic authentication for Web that prevents username and password from being snooped on the network by encoding them in Base64. It relied on the assumption that base64 tool to decode them would take forever to download from Simtel mirrors.
• 1994: The web browser Netscape Navigator introduces encrypted HTTPS (HTTP over SSL) protocol that shows a warning when used, so people can make an informed decision to be secure or not by doing their own research.
• 1997: The small banner that says "this website is secure" is invented. People start hanging it on their web page to make it secure, and for good luck.
• 1998: The first time "1!" added to the end of a password to make it secure.
• 2001: First password requirement of having at least one uppercase letter invented. Suddenly, the popularity of Password surges.
• 2002: Bruce Schneier releases "Password Safe", the first ever password manager. People see no point in storing their only password in a tool.
• 2003: Banks start adopting SMS as a secondary factor for authentication. Hacking becomes a viable career path for a broader audience again.
• 2004: User AzureDiamond boldly types their password hunter2 in an IRC channel only to be surprised to see that it hasn't appeared in all asterisks despite the assurances of the other users.
• 2004: OATH, The Initiative for Open Authentication, founded as an industry-wide collaboration to eliminate passwords completely.
• 2006: 1Password gets founded and instantly becomes the top password manager in alphabetical order.
• 2006: OpenID Foundation founded to eliminate passwords completely.
• 2007: YubiKey founded to eliminate passwords profitably.
• 2008: MySpace hacked. Hackers find everything but users.
• 2008: IETF, Internet Engineering Task Force, accepts OATH's proposal for TOTP (Time-based One Time Password) also known as "constantly changing six digit numbers" which would force the scammers to change their workflow to ask for that code too, adding 2 minutes per scam.
• 2008: MD5 cracked accidentally by a toddler.
• 2010: Google launches Authenticator app to store TOTP 2FA codes in hopes of killing it in five years.
• 2011: Valve's founder Gabe Newell publicly discloses his Steam account password as mollyftw at a public event.
• 2011: Gabe Newell publicly confirms that Steam forums were hacked.
• 2013: FIDO Alliance founded to eliminate passwords completely.
• 2013: Security researcher Troy Hunt releases the online service "Have I Been Pwned?" that checks if your password is in a leaked data set or not, and if not, adds it to the list.
• 2014: FIDO Alliance releases U2F (Universal Second Factor) specification that does not eliminate passwords whatsoever.
• 2017: NIST, National Institute of Standards and Technology, releases Digital Identity Guidelines which suggests that passwords may not actually become more secure when users increase the number at the end every three months.
• 2018: FIDO Alliance and W3C (World Wide Web Consortium) join forces to eliminate passwords completely.
• 2019: The FIDO2 standard gets released. It encompasses technologies like WebAuthn, CTAP, and uses secure public-key cryptography to allow user authentication without using passwords. Since nobody understands that, they propose the term "passkey" instead.
• 2020: Microsoft announces that they intend to make all accounts passwordless. Xbox users typing their password using a Ouija board rejoice.
• 2021: Apple announces their strong support for passkeys, and files a patent immediately for a proprietary alternative that's fully incompatible with Android.
• 2022: First time in history, a WiFi access point gets a strong password but only until Christmas Eve.
• 2023: 1Password releases passkeys.directory website to showcase web sites supporting passkeys, and streamline the adoption.
• 2023: Hackers release passkey.directory website to streamline phishing.
• 2024: Amazon adopts passkeys but decides to keep passwords too as Jeff Bezos doesn't want to abruptly alienate scammers.
• 2024: Person implodes while trying to recover their passkey-secured email account.
• 2025: Troy Hunt, the creator of "Have I Been Pwned?", gets pwned by a phishing email.
• 2025: Still nobody knows what a passkey is.