I tried ditching passwords, but the alternatives got complicated

Between Google’s new Verified Email feature and passkeys for a passwordless reality, your account authentication is supposed to work seamlessly without requiring you to remember a hundred passwords. While Passkeys replace passwords, Verified Email is Google’s way of eliminating the OTP verification loop. I’ve always been excited about the idea of ditching those complex passwords, even though they are generated by my password manager, and multiple authentication steps. With so many options around to make passwordlessness a reality, I thought of giving it a shot.

On paper, it should have worked beautifully, making account logins simpler and almost single-tap. While the technology itself is quite impressive, I found the user experience to be much more fragmented than I would like it to be. That inconsistency literally threw my little experiment off the tracks — and I’ll tell you how.

We’re in 2026, and people are still reusing a single password everywhere. Even if you look around among your family and friends, you will notice that password managers are still only a thing among the more technically inclined, but tech companies somehow overlook that ground reality.

Whenever Google or Apple makes products to simplify sign-ins, they assume that users are already using a password manager and creating unique passwords for each of their accounts. They also presume a perfect understanding of multi-factor authentication. At least in my part of the world, the second factor of authentication is actually forced upon people with something as basic as SMS OTPs by the central bank to keep users safe from fraud.

In an ideal world, you’d be using a password manager with unique passwords for each of your accounts or have set up passkeys, two-factor authentication would be enabled (ideally with a dedicated TOTP app), and you’d use device approvals or, even better, a physical security key (like YubiKey) to authenticate yourself.

If that doesn’t sound like too much to you, congratulations, you are part of the chosen few. But for everyone else, a single reused password still wins because of just one factor: predictability. Reusing passwords may not be secure, but it just works everywhere.

It’s quite literally a chore to enter your email ID, then your unique password, and then go to your email app to verify your email or use a third-party security app to retrieve a TOTP and punch it in to sign into an app. It’s the most secure way of managing your accounts, but it’s also quite tedious, despite the presence of password managers. The moment I hear about a passwordless reality or a company coming up with a way to eliminate second-factor authentication without compromising security, I get excited to test it out.

But I think I am creating some sort of record for getting disappointed every time I try to go passwordless.

This time, I switched my primary Google account from the regular email-and-password setup to a passkey. I ensure that I use my third-party password manager of choice, Enpass, rather than Google’s own built-in password manager to avoid platform lock-in. Well, the entire process seems fresh when coming from a regular password setup, but I quickly realized that I was going through almost the same number of authentication steps with or without a password. Passkeys claim to replace remembering a password, but I anyway don’t remember mine, except for the single master password for my password manager.

What really threw me off came while trying to log into my Microsoft account. Every single time I tried to sign in (or not!), Microsoft pushed me to create a passkey. The prompt would automatically open my password manager and start the passkey setup flow even though I had no intention of creating one for that account. When I finally decided to just get it over with and set up the passkey once and for all, it still threw the same old OTP verification screen at me anyway.

That led me to wonder what exactly had been simplified here.

Passkeys don’t replace additional authentication steps, which desperately need to smarten up. Google introduced Verified Email to tackle exactly that. It uses Android’s Credential Manager API to bypass the email verification process, so you don’t have to leave the app page, go to your email app, copy the OTP, and then paste it back into the app’s signup page. Exactly what I was looking for — but it leaves a bunch of “buts” hanging.

As expected, it requires a Gmail account, so it’s not quite universal. When I dug into the fine print of the announcement, I noticed that it wouldn’t work with the “Sign in with Google” feature. In that case, your personal Google account may still need second-factor authentication in the traditional way. Again, ironically, since the authentication is tied to the device, the feature isn’t cross-device either. Going by the workflow Google explained, if you already have an existing account on an app with second-factor authentication in place, this just wouldn’t work for you. There is no option to accommodate existing accounts.

Frankly speaking, I found it tough to wrap my head around all these checks and conditions — there were just too many fragmented pieces for anyone to put together. Every company is trying to make the process convenient in its own way, but none of them is comprehensive or omnipresent. I can now at last understand why people haven’t jumped on the passkey bandwagon and have stuck to reusing passwords.

Every single system that currently exists around the concept of passwordlessness actually requires users to grasp more about authentication, not less. That is quite literally the opposite of what mainstream adoption needs.

After my little experiment, I walked away with quite a few realizations. On the more positive side, I learned that the technology itself already exists for us to go passwordless even today. That isn’t the big challenge anymore. The bigger requirement right now is to make authentication disappear into the background. It needs to work not for the ideal customer who already uses a password manager, but for those individuals at the other end of the spectrum who still rely on a single password for everything in their lives.

To convince those users, big tech will have to offer a solution that is equally convenient and consistent. That means consolidating a million ways of performing second-factor authentication while accounting for edge cases like fallbacks during failures without leaving the users confused. Google’s new Verified Email feature and passkeys solve parts of those problems, but they do it individually, not as a cohesive system.

The FIDO Alliance exists for this very task, but what it has offered so far feels like a fragmented mishmash that most end users don’t want to deal with. Passwords survived so long in the tech industry because people could understand them instinctively. The consortium will have to do the same for passkeys and second-factor authentication without Google and Apple pushing users into their own ecosystems. The universality of an end-to-end system is critical for widespread adoption.

And Google is uniquely positioned to pioneer passwordless authentication simply because of the massive scale of Android across the globe. It caters to every segment across the spectrum and actually reaches the users who have so far been averse to using password managers. If any company can make passwordless authentication mainstream, it has to be Google.

The ball is in your court now, Google.