Data security: With passkeys replacing passwords, are we giving up human consent in return for convenience?

Every morning, Sampada Joshi unlocks her laptop by typing a wish. “Using aspirational sequences like ‘Paris#2026’ or ‘Senior@Manager’ as passwords is my way of manifesting and tricking the brain into focus before the inbox takes over,” the 31-year-old, Bengaluru-based category manager says of her ritual.

In the pre-internet era, passwords used to be simple watchwords. As the internet exploded in the 2000s, it became a timeline of our lives. For a Bengaluru-based marketing leader, Prateek Kole, 38, early codes were guarded by his crush’s name. Sanskriti Verma, 27, a content creator from Gurugram, effectively froze her adolescence in text fields through Selena Gomez-themed logins. “Far from being random data, a password serves as a confession of what and who matters most in the moment we create it,” says Mithun Kulkarni, 35, an employer branding leader in Bengaluru.

A heavy iron key used to be the literal, pocket-weighing guarantor of safety. It was difficult to open doors, because it was understood that if a door opened effortlessly for us, it would open just as easily for an intruder. To guard something meant building deliberate friction as a mechanism of trust. Online, that friction became the login password. Ownership has always been an act of knowledge: a conscious secret anchored in your mind, impossible to silently steal, and entirely yours to change. One could forget their password, but in that case, there was the helpful “forgot password” prompt. But that era seems to be drawing to an end.

With Google logging over a billion passkey uses and the FIDO Alliance (an open industry association that promotes authentication standards other than passwords) predicting a password-less web by 2026, we are trading a personal approach to authentication for invisible, impersonal security. Driven by biometrics and cryptography, data protection is marching towards the safer, frictionless convenience of devices that simply unlock in our presence.

As the internet scaled up, security mutated into a complex bureaucracy of password norms. For a successful password, one needed to have at least one uppercase word, one number, one special character, and perhaps the hair of a werewolf plucked on a full-moon night! To cope, people attempted to remember the passwords by writing them down—in sticky notes and little black books—and reused words across platforms. People shared passwords with loved ones—what is the shared Netflix password but modern love language?

Many people in an older demographic—those over the age of 55, say—maintain dog-eared diaries, meticulously writing down every login, and treat a forced password reset with the same gravity as misplacing a property deed. “Over time, I have trained my parents to set unusual passwords besides names and birthdates,” Joshi says.

But remembering complex alphanumeric combinations can eventually become exhausting. Shubham Girdhar, a 33-year-old, Delhi-born marketing manager, started his digital life with a simple combination. “After finding my credentials exposed on haveibeenpwned.com, I outsourced my memory entirely to a password manager,” he says.

Kulkarni also points to the tyranny of corporate security policies. When enterprise passwords rotate every month, muscle memory fails. “After a week off, your own work laptop becomes a stranger,” he says. “Auto-logins have made my memory poorer. Over time, passwords will become just like CDs and cassettes, a part of our nostalgia,” says Verma, the Gurugram-based content creator.

Modern cybersecurity is nothing if not coldly pragmatic. “There is no romance here,” says Akhilesh Bhamburkar, a Nagpur-based 32-year-old IT security professional. “It’s just a system designed to do one job. Passwords fail because they rely on a flawed premise: the shared secret. If you know it, and the server knows it, a database breach means your secret is spilt,” he adds.

Bhamburkar likens the shift to passkeys to buying a home appliance. “Innovation helps us do things faster and better, but removing responsibility is also a driving factor. Don't want to wash clothes yourself? Here's a washing machine. Don't want to manage security? Here are passkeys.”

Ashish Mahadwar, a board member at the digital security firm FortyTwoLabs in Pune, views passwords as a relic. According to him, multi-factor authentication (MFA) and OTPs merely layered proof atop a broken foundation. “As quantum computing looms, static credentials won't survive. Passkeys fix this by fundamentally changing the architecture. They are safer because they are phishing-resistant, immune to server data breaches, and eliminate risks from weak or reused passwords. We are shifting from identity by knowledge to identity by presence,” he says.

Yet, as authentication becomes invisible, we risk losing something vital: the moment of consent. Because typing a password forced a pause. “There’s something undeniably seductive about invisible security. But just as the shift from handing over physical cash to UPI removes the mindful weight of spending, invisible authentication erases the conscious pause of entry. Every time you typed a password, you were deliberately crossing a threshold. That’s a form of active consent,” says Deepankur Agrawal, 39, a Pune-based cybersecurity professional. “When that moment disappears, the consent disappears with it and systems begin authorising on our behalf.” This seamlessness can breed a dangerous complacency based on blind trust in automation. As security retreats into the shadows, our digital agency erodes—this leaves ownership and safety of personal data a hostage to platforms whose terms can change overnight.

Moreover, are we creating a legacy problem in order to solve a security problem? Because a shift to “identity-by-presence” also introduces a complication: what happens when the person dies? Biometrics may make access smoother, but death raises messy questions of digital inheritance. Especially when data recovery pathways are now dictated by platform design rather than personal agency. When digital ownership is bound to biology, the vault permanently seals shut the moment the body is gone.

We are navigating an increasingly frictionless world, leaving behind our messy, poetic, human input. We once spent hours perfecting our signatures to represent exactly who we were, only to now press our thumbs, adjust our faces, and breeze through systems without a second thought.

Shalaka Kulkarni (@shalakulkarni) is a Bengaluru-based author who writes at the intersection of culture and technology.