GENESIS 0222026.07.03
Why Passwords
Are Broken
The end of "something you know." Why passwords fail and what post-password authentication looks like in 2026.
The Password Problem
Passwords are the weakest link in digital security. 80% of all data breaches involve compromised or weak passwords (Verizon DBIR 2025). The average user manages 100+ passwords across services — an impossible cognitive load that leads to password reuse, weak credentials, and phishing susceptibility.
Four structural flaws make passwords fundamentally broken:
1. Shared secrets: the server stores a copy of your password (hashed or not). Every database becomes a target. If the server is breached, your password is exposed.
2. Human memorability: strong passwords are hard to remember. Memorable passwords are weak. The tension between security and usability is unsolvable within the password model.
3. Phishing surface: passwords are bearer tokens. Anyone who knows the string can impersonate you. A convincing fake login page extracts the secret directly.
4. No cryptographic binding: a password proves you know a string, not that you are you. There is no binding between the credential and the human presenting it.
These are not implementation flaws. They are architectural flaws. Passwords cannot be fixed — they must be replaced.
The Rise of Passkeys — FIDO2 and WebAuthn
Passkeys are the W3C/FIDO Alliance standard for passwordless authentication, built on public-key cryptography. Instead of a shared secret, a passkey generates a key pair: a private key that stays on your device (secured by biometrics or PIN), and a public key registered with the service.
How it works:
1. Registration: your device creates a unique key pair for each service. The public key is sent to the service. The private key never leaves your device.
2. Authentication: the service sends a challenge. Your device signs it with the private key (unlocked by your fingerprint, face, or PIN). The service verifies the signature against the stored public key.
3. No shared secrets: the service never sees your private key. A breach of the service's database reveals only public keys — useless to an attacker.
4. Phishing-resistant: the browser enforces origin binding. Your device will only sign a challenge from the real service domain. A fake login page cannot intercept the credential.
Major platforms — Apple, Google, Microsoft — now support passkeys natively. In 2026, passkey adoption has crossed 50% of consumer services and is the default authentication method for new applications.
Beyond Passkeys — What Still Needs Solving
Passkeys solve the credential problem. But authentication is only one layer of identity. Three gaps remain:
1. Continuity: a passkey proves a device is present. It does not prove the same human is behind the device. Session hijacking, device sharing, and coercion remain unsolved.
2. Recovery: losing all enrolled devices means losing access to all passkey-protected accounts. Recovery mechanisms (email codes, social recovery) reintroduce the weak-link problem passkeys aimed to eliminate.
3. Portable identity: passkeys are per-service. Your identity at Service A has no connection to your identity at Service B. There is no cross-service reputation, no portable trust, no sovereign identity layer.
MyShape Protocol addresses these gaps: motion-signature verification for continuity (proving the same human is present), zero-knowledge proofs for privacy-preserving verification, and a sovereign identity mesh that spans services without central authority. Passkeys authenticate the device. Motion-signature authenticates the human.
Continue Reading