The downsides to using passkeys
Passkeys is an a relatively new authentication standard by an alliance of companies that reads like the Who’s Who of Tech.
Passkeys are created on user devices and remain there, and all it takes to sign-in is to select the right one to login to services and websites. Passwords are no longer required and that is one of the main advantages of the feature.
Passwords are traditionally stored as hashes on servers. When a user enters a password, the hash is generated and compared to the data on the server. This leads to disadvantages, including that a successful server breach may give criminals access to the hashes, which may be cracked to reveal the passwords. Also, passwords may be brute forced and phishing attacks are common to steal passwords from users.
All of these forms of attacks do not work against passkeys. The server does not store the required data anymore and users do not enter passwords. Brute forcing is also not possible.
While passkeys improve security, users need to be aware of some downsides associated with them. Some of these are temporary in nature, others may pose a permanent problem.
- Passkeys are device specific. Syncing functionality is not widely available yet, but many password managers and also operating systems may support syncing eventually.
- Most websites and apps do not support passkeys. This too will change in the future as support is spreading. For now, only some sites and services support the security feature.
- Losing access to a device. If a user loses access to all their devices, they may have troubles recovering account access. Most sites and services support account recovery options if a password has been forgotten. Similar functionality may be provided for passkeys, and this may involve providing IDs or other forms of legitimation. Passkeys to support recovery keys, but these need to be saved by the user actively.
'The downsides to using passkeys' first appeared in Weekly Tech Insights, a free weekly newsletter that you can sign up to here.