It's 2026 and we're still typing passwords :\
The tech to kill passwords has been around for years. Most apps just haven't bothered. And as of April 2026, Apple is still charging $99 a year for the privilege.
The BBC is now urging UK readers to ditch passwords in favour of passkeys where available. Nice to see the mainstream press catching up to what the platforms have been saying for a couple of years.
You open a new app. Before you can do anything at all, its asking you to make an account. Username. Email. Password. Confirm password. Must include a number and a special character. You’ve done this a thousand times.
There’s no real reason it should still be this way. The alternatives have existed for years. Companies know about them. They just haven’t bothered to ship them.
The alternatives
There’s three options that are all better then passwords, and they’ve been around long enough that there isn’t much excuse for not knowing about them.
Sign in with Google, Apple, or GitHub is the “Continue with Google” button you see everywhere. You tap it, confirm on the Google side, you’re in. No new account. No new password to remember. Your existing Google security covers the new app automatically. Free to implement via OAuth.
Magic links are often the right answer when OAuth isn’t a fit. You type your email, the app sends you a link, you click it, you’re signed in. Single use, expires in a few minutes, works on any device, asks nothing of the user beyond an email address. For apps where people don’t sign in constantly, or where asking someone to set up a passkey is too much friction for a first time user, magic links are the cleanest option.
Passkeys are the newest and strongest option. Your device generates a cryptographic key tied to that specific site. You authenticate with your fingerprint or your face. Nothing gets stored on the server that can be stolen in a breach, which means it cannot be phished. Google, Apple, and Microsoft have all built this into their platforms natively.
The numbers
87% of organizations still use password based auth for their customer facing apps. Only 2% of them believe passwords effectively balance security and UX. The people building these systems don’t even believe in what they’re shipping.
Password reset requests are responsible for somewhere between 30 and 50% of IT support tickets at large enterprises. Thats a huge chunk of an entire teams workload, just helping people who forgot their password.
Since the start of 2025, over 16 billion passwords have been exposed in breaches. Which is more then the entire human population of the planet.
The big platforms already moved on
Google reports that passkey users are four times more successful at signing in than password users. TikTok saw a 97% sign in success rate after the switch.
Microsoft made all new accounts passwordless by default in May 2025. New users never have to enroll a password, and passkey sign ins are eight times faster than a password plus MFA.
Apple introduced a new account creation API at WWDC25 that lets users sign up with a passkey from day one, with background upgrades for existing accounts.
Apple’s hypocrisy
Apple deserves credit for pushing passkeys. They also deserve criticism for something that undermines the whole pitch.
To implement “Sign in with Apple” on your app or website, you have to have an active Apple Developer Program membership. As of April 2026, that costs $99 USD per year. Not a one time fee. Every year, or your implementation stops working. This might change in future, but right now its still the price of entry.
Implementing “Sign in with Google” is free. GitHub OAuth is free. Discord OAuth is free. Apple is the only major platform charging a recurring toll to put their own login button on your site.
Small projects, indie devs, free tools, open source stuff, they either pay every year or they skip Sign in with Apple entirely. And when they skip it, the iPhone users visiting their app get pushed back into creating a password. Which is the exact outcome Apple says it wants to prevent.
The SSO tax
There’s a site called sso.tax that documents the corporate version of this same problem. Its tagline: “Security shouldn’t be a premium feature.”
SSO is often only offered as part of an “Enterprise” plan, bundled with a huge minimum seat count or a bunch of features the company doesn’t need. A lot of vendors charge 2x, 3x, even 4x the base price for SSO access, which disincentivizes using it and nudges people toward worse security practices.
A few examples from the site, as of April 2026 (these numbers shift over time, so check the site for current pricing):
| Vendor | Base plan | SSO plan | Increase |
|---|---|---|---|
| Airtable | $10/user/month | $60/user/month | 500% |
| Figma | $12/user/month | $45/user/month | 275% |
| Canva | $10/user/month | $40/user/month | 300% |
| Front | $19/user/month | $99/user/month | 421% |
| Appsmith | $15/user/month | $2,500 flat | 16,567% |
Ed Contreras, CISO at Frost Bank, called the SSO tax “an atrocity.” Security infrastructure is too important to be priced like a luxury add on.
Why it’s still happening
A March 2026 HYPR report found that 76% of organizations still rely on legacy passwords as their primary auth method. Only 43% have deployed any passwordless authentication, and most of them have only rolled it out to less then half their workforce.
The reason is almost always the same. Authentication touches old systems, multiple teams, legacy vendor contracts, and compliance sign offs. No one person fully owns it, so no one person fully fixes it.
Thats a real constraint, but its not a good enough reason to keep doing nothing.
And honestly the thing that gets me the most is watching my parents deal with their employer’s systems. Both of them still get forced to reset their workspace password every 2 months, with a rule that the new password cannot match any of the last 6. Like, what? The only plausible way anyone is getting through that rule is by adding 123 to the end, then 1234 two months later, then 12345 after that. Thats not security. Thats a checkbox someone ticked in a compliance meeting in 2009 that nobody has questioned since. And because it’s been done like this, the new person just learns this as the “best practices”.
Final thought
The tech is ready. The developer docs are free. The big platforms have moved. What’s left is the organizational will to actually ship it, and in Apple’s case, to stop charging $99 a year to let developers put a button on their website.
Sources and further readings: