The password's core flaw is structural: it's a shared secret. You know it, the server knows it, and anything two parties both know can be stolen, phished, guessed, or leaked in a breach. Passwordless authentication attacks the flaw at the root by getting rid of the shared secret entirely.

Two granted patents show how. IDMelon's US12335255B1, "Systems and methods for secure user authentication with passkeys on shared computing devices" (issued June 17, 2025; CPC H04L 63/083 — password/key-based authentication), tackles passkeys in the awkward case of a device many people use. Ping Identity's US12321437B2, "Method and apparatus for secure authentication based on proximity" (issued June 3, 2025; CPC G06F 21/35), describes authenticating using the physical nearness of a trusted device. Read them at US12335255B1 and US12321437B2.

The way this actually works is public-key cryptography instead of a secret. A passkey is a key pair: a private key that never leaves your device and a public key the service stores. To log in, the service sends a challenge, your device signs it with the private key, and the service verifies the signature with the public key. The private key is never transmitted, so there's nothing to phish and nothing useful in a server breach. The IDMelon grant addresses how to do this on a shared computer (where the device isn't your personal phone), and Ping's proximity grant uses the presence of a trusted device as a factor — your phone being near the terminal.

One analogy, then gone: a password is like telling the guard a secret word — anyone who overhears it can use it. A passkey is like a signet ring that stamps a unique, unforgeable seal on each request. The guard checks the seal against your registered crest; the ring never leaves your hand, and overhearing nothing helps an attacker.

Why this is a business story: passwordless is one of the clearest growth narratives in identity. Phishing and credential theft drive a huge share of breaches, and passkeys structurally remove that attack class — which makes them an easy sell to security buyers and regulators alike. Industry standards (FIDO2/WebAuthn) gave the technology a common rail, and now the competition is in the edges: shared devices, proximity factors, recovery flows. Grants like these stake out those edges, which is where identity vendors differentiate.

The grounded takeaway: passwordless replaces a stealable shared secret with a device-held key pair, and the live competition is in the hard cases — shared machines, proximity, recovery. When an identity vendor pitches "passwordless," the questions that matter are how the private key is protected and how the awkward cases are handled. These two grants name two of those cases directly.