It Didn't Ask. It Already Knew.
Why one reluctant insider's account of identity without passwords matters more than you think
This is part two of a response to a question Samara McIlroy recently asked. Check here for part one.
I’m currently working on what the insights/directions, theory & math of a system without passwords might look like. Check it out if you’re interested in a seeing a more technical treatment of the subject.
I still remember how annoying it was to have to enter a PIN to unlock my phone.
Every. Single. Time.
Having to unlock it to check an email. Having to unlock it to read a text. Having it lock back up again if someone interrupted you or you got distracted for more than a few seconds.
But I understood why it worked that way.
The phone didn’t know me. And it didn’t know when I’d be back. So it asked.
A lot.
At the time it just felt like friction.
I’m not sure that’s all it was.
I’d been on the committee at work that decided to pilot it.
A security system without passwords.
Yup. My eyebrows had raised when I heard it too.
I’d been “done” with the old credentialing system for a while now. Wanting to try something new was the easy part. The part that I hadn’t quite figured out was whether this system would be better or just different.
I’d been on the committee at work that made the decision. I’d read the documentation, sat through the debates, heard the objections. I knew how it worked. At least I knew how it was supposed to work. I’d voted for it. I’d helped write the rollout memo.
It still wanted the password. Of course it did. It needed somewhere to start. I typed it in and thought, “great, same as before”. I sighed. “There’ll be some slow patches at first”, we’d told everyone. “Just give it some time.”
This was the first morning after the rollout. I picked up my phone. It wasn’t locked.
Still in the same place on the nightstand where I’d left it. Still connected to the home network. Picked up at the usual time. I Answered a text and opened my Spotify list to listen to a little Starboy (yeah, yeah, I know) while I brushed my teeth.
All the usual patterns.
It had decided, without asking me, that everything was fine.
I sat there for a moment before I checked my email.
I knew how it worked but it didn’t make it feel any less strange.
From the technical documentation: The system maintains a running confidence estimate over identity hypotheses. At rest, with no change in environmental signals, the estimate does not decay. The system does not observe content — messages, browsing history, communications — at any point. It observes only the shape of presence: network, timing, location pattern, device state. It cannot tell you what a person did. It can only tell you whether this morning looks like mornings usually look.
I was making coffee and burning some toast when my wife walked in.
She picked up my phone and started snooping.
She does this sometimes and I don’t mind. Kind of like it to be honest. Just the casual intimacy of a shared life with someone you trust.
The phone didn’t mind either. Notifications visible. Music playable. The Weeknd quickly turned to something “better”.
I watched her from across the kitchen. When she reached for something deeper, when she tried to open an app that I only used for work, she got resistance. Not a lock. Not a rejection. More like a door that only opened partway and then held, politely, at the threshold of what was mine alone.
She shrugged, set it back on the table, and looked at me. “I don’t know how I feel about not having to type a PIN in anymore.”
I nodded. I knew what she meant. The PIN was annoying. But it was something else too. It was a small, explicit agreement between you and the phone that the two of you were strangers. At least until you entered the PIN. But this thing… it just proceeded. It had already decided.
“How does it know the difference?” she asked. “Between me and you?”
“It notices things”, I said. “The way you hold it. Your patterns. The fact that you’re on the same network but your history is different than mine.”
She looked at me for a moment. “So it was watching me.”
I didn’t have a great answer for that. “It noticed”, I said again, which really didn’t seen any different.
She kissed me and left the room. I picked up the phone. The deeper things were available again.
I sat there thinking about what she’d said. It was watching me. She wasn’t wrong. I’d read the documentation. I knew the distinction the system drew between observation and surveillance. I believed it, mostly. But I hadn’t been able to explain it in a way that would have satisfied her. And I wasn’t entirely sure that it would have satisfied me either if I hadn’t read the documentation.
Some months later she’d been doing some estate planning paperwork for us. She’d looked up, pencil in hand, slightly distracted.
“Hm. If more companies pick this up, the kids won’t need our passwords to get into the bank account after we’re gone.”
She went back to the paperwork.
I’d never put that detail in the memo.
From the technical documentation: Interaction patterns — grip, rhythm, pace, the small behavioral particulars that distinguish one person’s handling from another’s — are treated as evidence, not surveillance. The system holds no list of approved users and no explicit rule about who may access what. It only knows that some patterns match a long, coherent history, and others match a long, coherent relationship. Both are different, with different permissions, earned over time. The system does not decide who belongs in your life. It observes who already does.
After a jog and a quick shower I was at my desk. Time to log in.
Old system: username, password, authenticator app, wait for the code, type it before it expires. Get it wrong. Get it wrong again. Curse. Start over.
New system: a brief pause and… that’s it. Nothing else. Just a brief pause while it checked whether the confidence level was high enough for what I was about to do. It was. I was in.
The pause was maybe half a second. I only noticed it because I was watching for it. A few weeks later I stopped noticing entirely.
I sat there for a moment after it let me in.
I knew what had happened in the pause. I’d read the technical documentation. I’d helped write the policy that governed it. The system had taken everything it had observed since I woke up (the network, the device, the timing, the morning’s accumulated ordinary behavior) and decided it was already certain enough for this. There was no reason to ask because it had already been paying attention.
That should have felt like a vindication. I’d argued for this in three separate committee meetings.
Mostly it felt like it knew more about me and my mornings than I’d consciously registered. Which was the point. Which is what I’d voted for. I still wasn’t sure exactly how I felt about it.
The old system had been a locked door with a key I carried. I knew where the key was. I knew when I’d used it. This was something else. It was a door that decided on its own whether or not to open… and for reasons I understood in principle but couldn’t see in the moment.
I opened my email and got to work.
I told myself the unease would fade. And it did, mostly. But mostly isn’t the same as entirely.
Three months later I was out of town on a business trip.
New city. Hotel WiFi. Laptop I didn’t usually travel with.
I want to be honest about what I was expecting.
I was expecting friction. I’d helped design the fallback protocols for exactly this scenario: unfamiliar network, unfamiliar device, significant context shift. I knew what the system was supposed to do. I was half prepared to have to use the fallback. Half prepared, if I’m honest, to be a little relieved if I did. At least that would have felt familiar. At least I’d have known what it was checking.
Instead, a brief pause. Slightly longer than usual. And then I was in.
I sat with that for a moment.
I found out later that it had flagged the session. Elevated uncertainty, the logs said. It had noticed that several things had shifted simultaneously: network, location pattern, device. But it didn’t lock me out. It just… watched more carefully. A few actions that required extra confirmation. Nothing dramatic. The system was telling me, quietly, that it wasn’t quite sure, and it needed to be proportionally more careful.
Over the next few hours the picture clarified. Familiar contacts. Familiar work patterns. A video call with people the system had seen me talk to hundreds of times. The uncertainty resolved. By evening, confidence had returned to normal.
At no point did I have to prove anything.
I closed the laptop that night and sat in the hotel room for a while.
Here is what I couldn’t shake: it had been right. Right about me. Right about this specific trip. Right about this specific pattern. Right about what this particular disruption meant in the context of this particular life. It had read the situation accurately without being told what the situation was.
I knew how it had been done. I could have drawn you a diagram. I'd presented it in committee. Pattern matching, signal accumulation, Bayesian inference over behavioral history. Not cognition. Not understanding. Just math that had gotten very good at looking like understanding.
And yet.
Sitting in the hotel room, I didn’t feel like I’d been identified by a well-designed algorithm. I felt like the system had just known me well enough to leave me alone.
Then the other thought arrived, the one I’d been half expecting since we’d started the rollout. This is just surveillance with better branding. You don’t track location, you track presence patterns. You don’t read messages, you read behavioral signals. You’re describing the same thing with different words and calling it a distinction.
I know how the answer sounds coming from someone who voted for it. I’m aware of that.
But here’s what I kept coming back to. There’s a difference between a system that observes a shape and one that records what made the shape. The system noticed that my pattern of presence had changed; multiple familiar anchors shifting simultaneously. That observation was consumed by the inference. It updated the posterior and moved on. It didn’t store where I was. It didn’t log who I met. It didn’t build a record that could later be subpoenaed or breached or sold. Those things are gone because they were never kept. Not because the system chose not to keep them. Because the architecture doesn’t produce them.
That’s not a semantic distinction. It’s a structural one. It’s the kind of claim that can be audited. And it’s a the kind of claim that can either sound reassuring or be the beginning of a much more difficult conversation; depending on who’s doing the auditing of course.
That conversation is coming. I’m not ready for it tonight.
I turned off the light and lay there thinking about the difference.
Did it matter? I didn’t know. I still don’t.
From the technical documentation: The system does not record raw location data, communication content, or behavioral logs. Signal shapes are consumed during inference and are not stored in reconstructible form. What the system retains is the updated confidence estimate — not the evidence that produced it. This means the system cannot tell you where a subject was, who they met, or what they did. It can only tell you whether the current picture is coherent with prior history. The absence of a stored record is not a policy choice. It is an architectural consequence. It can be verified through audit of the inference pipeline.
Marcus had been on the project with me from the beginning. He was the one who’d pushed hardest on the edge cases; the scenarios the rest of us wanted to push to a later version. He had a gift for finding the places where a system that worked beautifully in normal conditions would fail the people who needed it most.
He’d asked me once, maybe six months in: “But what if someone actually changed? Not travel. Something big. A health crisis. A breakdown. A year that rewired them completely.”
I’d given him the technical answer. Authorized discontinuity pathways. Governed patience. The system shifts into a different mode. It becomes more careful, more watchful, but still oriented toward the person rather than against them. It waits for a new pattern to emerge rather than demanding the old one return.
He’d nodded slowly, the way he did when he wasn’t quite satisfied but was willing to move on.
Three months later he had a stroke.
I found out on a Tuesday morning. I sat at my desk for a long time before I opened my email.
His recovery was slow. I visited when I could. We didn’t talk about the project much. It didn’t seem like the right thing to talk about. But I watched, from a distance, what the system did.
It didn’t lock him out. It entered what we’d called in the documentation a period of governed patience. It was more careful, more watchful, waiting for coherence to re-emerge. His wife had access to what she needed. The things that needed handling got handled.
From the outside, it looked like exactly what we’d designed it to be.
About a year into his recovery, when he was mostly back, I asked him. I’d been turning it over for months and I needed to know. Not just as his friend. As someone who’d helped build the thing that had been quietly watching him relearn how to be himself.
He was quiet for a moment.
“It was fine”, he said. “Everything worked out.”
He’d said it the way you’d say something when it was true but the answer was more complicated than the conversation called for.
I didn’t push. But I thought about it on the drive home. It was fine. The system had done what it was supposed to do. His wife had what she needed. The documentation would have called it a success.
And Marcus, who’d pushed harder than anyone else on the edge cases, who’d had asked the right question six months before it became personal, had looked at me and said: it was fine.
I believed him. I also heard everything he hadn’t said.
A few months after I got back from the trip I got a notification I didn’t quite understand at first.
I read it twice. Then a third time.
Someone had shown up with enough of my information to get through the surface layer. Easy stuff. The kind of thing that leaks in data breaches and lives on the dark web. It’d looked plausible enough, briefly. And then it hadn’t. Signals that should have reinforced each other hadn’t. Patterns that should have been familiar weren’t. The picture hadn’t held together the way a real accumulated history holds together.
Access had been quietly restricted while that played out. By the time I read the notification, it was over.
I sat at my desk for a while.
Someone had tried to become me. They’d had enough of my information to make a reasonable attempt. And the whole thing had happened, been noticed, been contained, been resolved while I was apparently doing something else entirely. I couldn’t even remember what. Something ordinary. The system had defended me while I was making coffee or answering an email or staring out the window.
I hadn’t been there.
That’s the part I kept turning over. With the old system I would have been the protagonist of that story whether I wanted to or not. Frantic notifications. Locked accounts. Verify your identity. Prove yourself. Horrible and disruptive and exhausting. But mine. My emergency to manage. My story to experience.
It had been handled without me.
I thought about Marcus saying it was fine. I thought about my wife: so it was watching me. I thought about sitting in that hotel room in the dark, turning over whether it mattered that the system had been right.
And then I thought: it caught something I wouldn’t have caught. Not because I wasn’t paying attention. Because I couldn’t have been. No one can maintain that kind of attention to their own digital life. That’s exactly why the old system kept failing.
It wasn’t a comfortable thought. But it was an honest one.
I noticed, somewhere in there, that something had shifted. Not trust exactly. I wasn’t ready to call it that. But the active resistance had loosened a little. The system had done something that was unambiguously, uncomplicatedly good. And it had done it quietly, without asking anything of me, without making me perform my own identity under pressure.
I filed the notification and got back to work.
I didn’t stop thinking about it for the rest of the day.
A month later I left my phone in a cab.
I didn’t realize for almost two hours. I was in back to back meetings and when I finally reached for it and it wasn’t there. I felt the familiar lurch. The panic of losing a device that knows everything about you.
I borrowed a phone and tried to remember what I was supposed to do. With the old system I’d have been racing to remote wipe it before someone got through the PIN. A narrow window between losing it and losing everything.
This time I just... reported it missing. That was it. No emergency. No race.
I found out later what had happened on the phone’s end. It had gone quiet. No familiar network. No familiar behavioral patterns. No reconnection to the contacts and contexts that usually surrounded it. After a while confidence had dropped below the threshold for sensitive actions. It hadn’t been wiped. It had been quieted. Waiting, in a sense. To see what happened next.
And what happened next was… nothing. Nobody picked it up and started trying to be me. The story just... stopped. An interrupted sentence.
I got a replacement two days later. That was the part I’d been dreading without quite admitting it to myself. It was the part where the new system would look at a new device with no history and treat me like a stranger. Where I’d have to start over. Where the accumulated months of ordinary mornings and work patterns and behavioral history would turn out to have lived in the device, not in whatever the system actually was.
It didn’t treat me like a stranger.
It treated me like someone whose phone had gone missing. Which is what had happened.
There was friction. I want to be honest about that. A few days of proportional uncertainty, extra confirmations, the system rebuilding its picture through a new lens. In the first hours I thought about the failsafes. There were two. The password, still there, still valid, still a heavily weighted signal if I chose to use it. And the recovery token, the thing we’d built for harder cases than this: a governed process, a phone call to someone who could verify enough context to issue a fresh seed and jumpstart the whole thing from a known point. A human in the loop, deliberately. We’d argued about that in committee. Some people had wanted it fully automated. I’d been one of the people who said no.
I’d written the password down somewhere. I was fairly sure I remembered where. I hadn’t thought about the recovery token in months.
I didn’t use either of them. Partly because finding the password felt like admitting defeat. Partly because calling someone to verify my identity felt like exactly the kind of friction we’d built this to avoid. But mostly because I wanted to see what happened if I just... let it work. After everything, the hotel room, Marcus, the attack notification, I suppose I’d accumulated enough uneasy evidence that I was willing to give it the chance to prove itself on its own terms.
It wasn’t seamless. But it wasn’t starting from zero either. The history was intact. The patterns were intact. The relationships were intact. The device had been a window, not the view.
Within a week it had mostly settled.
I sat with that for a while.
All the things I’d been carrying since that first morning, the unease, the hotel room, Marcus’s careful it was fine, my wife’s so it was watching me, they didn’t disappear. I wasn’t suddenly convinced of anything I hadn’t been convinced of before.
But I noticed that I’d been waiting, without realizing it, for the system to fail me in a way that confirmed my doubts. To do the thing that would let me say: there it is, that’s what I was afraid of.
It hadn’t done that. Not once.
That’s not the same as trust. I know the difference. But I also know that at some point continued wariness in the face of continued evidence becomes its own kind of dishonesty.
I’m not there yet. But I can see it from here.
From the technical documentation: A device is one signal source among many. When a device goes silent, the system notes the absence and continues evaluating remaining sources. Identity is not stored on any single device — it is distributed across the accumulated, independent evidence of a life in progress. The system understands the difference between you lost a device and you are gone. Those are different events. A system built on distributed evidence can tell them apart.
I still remember the PIN.
Four digits. I typed it probably ten thousand times. I could still type it right now without thinking. The muscle memory is still there, waiting, like a habit that doesn’t know that it’s been replaced.
I realized sometime last month that I hadn’t thought about it in weeks. I’m not sure exactly when it stopped being a daily presence. It just quietly receded while I was paying attention to other things.
I’m not sure what to make of that.
I didn’t decide to stop missing it. I didn’t reach some moment of conviction where I thought: yes, this is better, I’m ready to let go of the old thing. It just... faded. The way things fade when something else has been quietly accumulating in the background. When the story has been rewriting itself without asking your permission.
That’s either the most natural thing in the world or it’s exactly what I should be paying attention to. I genuinely don’t know which.
What I know is this: the system has been right more often than I expected. It has handled things I didn’t anticipate in ways I couldn’t have designed myself, even having helped design it. Marcus is okay. My wife figured out something I missed. Someone tried to become me and failed quietly while I was making coffee.
And I still don’t know how I feel about being known that well by something that doesn’t know anything.
That question doesn’t go away. I’m not sure it should.
There’s a harder question underneath it. Not about whether the system works, but about who governs it, and how, and what happens when it gets something wrong. That’s the question I keep coming back to. That’s where I’m going next.
I’m not done thinking about this.
In the next piece: why this isn’t surveillance and why the governance question matters more than the technical one.