Passkeys: Ruining a Great Idea
Last Updated: 2025-12-16 04:00:00 -0600
Passkeys are undergoing a major adoption push at the moment, as a replacement for the more traditional username/password authentication model. And while they do carry significant benefits, the way they’re being adopted makes me a bit nervous, to say the least.
It’s been a while since I wrote on a security-related topic, and there’s a good reason for that: I’m now qualified enough in this area to understand how big the gaps in my understanding can be. It’s a bit like accounting. I know enough about accounting to be dangerous. That’s why you shouldn’t ask me for accounting device, but work with an actual accountant who carries liability insurance. That said, I think I know enough in this one particular area to at least raise some concerns.
For the uninitiated, a passkey authentication model involves a cryptographic challenge to test whether you and a thing-to-authenticate-to (usually, this being the 2020s, a website) agree on the value of a shared secret. There’s a thousand standard and non-standard versions of this arrangement, and my critique isn’t for the cryptography itself. It’s the way those secrets/keys are being handled.
You see, I’m a big believer in additional factors of authentication, and asymmetric encryption makes me very happy. I’ve been using a Yubikey Hardware Token for years, and if I had my way, they’d be as ubiquitous as house-keys. Many passkey schemes allow a compatible controller (like the Yubikey) to hold the keys for a passkey challenge. I have zero problem with this model. I own the physical hardware key, that key is robust, and, (to within a reasonable limit), backup authentication workflows exist in case I somehow manage to destroy the damn thing.
The problem I’m seeing now, though, is how often the passkey storage method is being pressured toward unsuitable models. All too often, the key is being stored in a browser or attached to an account from a service provider: your password manager, gmail account, or similar. This becomes a real problem, not because the backup access methods aren’t viable (I have no comment on that),but because of the further consolidation of “authority” as to whether or not you have access to your various accounts in the hands of a small number of vendors. Vendors who usually have terms of service that allow them to boot you off their service, with limited appeal and little recourse.
Now, if you’re a professional paranoid like me and you keep all your backup passcodes printed or written out in a safe somewhere, that might not be a huge problem. But for a large number of users, that’s probably not happening. I’m not going to pretend this is truly novel threat service - the average person with one master email account is pretty well hosed if that account ever gets taken over by a malicious user already anyway. The bigger problem is the cascading effect caused by the loss of access if you are ejected, at a time when the big vendors are becoming more and more overtly conservative and willing to terminate accounts for absolute nonsense reasons.
Let’s suppose a prototypical user, Able Baker, has a gmail account that he’s used to sign in to chrome, and that chrome is acting as a passkey store for all of Able Baker’s pass keys. Mx Baker is using passkeys to authenticate to most important things in their life: bank, github, entertainment, and so on. Unfortunately for Mx. Baker, an erroneous report reaches Google that Baker is involved in sending Spam emails, and with minimal investigation of the matter, Google terminates their business relationship with Baker. Unless they have already pre-saved backup keys in a convenient location, Baker is now effectively hard locked out of all their web identities, and has to more or less start over from scratch, or at least deal with a long and arduous process of working with dozens of vendors’ customer support; and let’s face it, that’s a lost cause.
This risk does not occur if you have a hardware store for your authentication keys. Especially with the newer Yubikey models (which can store hundreds of such keys), the only real risk is a loss of the device. Usually, when setting up passkeys that run through the Yubikey, most vendors explicitly prompt you to save backup keys immediately. Even if they don’t, I believe there is a utility that allows you to sync two yubikeys together. Stash one in the firebox and keep the other on you, and the problem goes away.
There are good reasons to adopt passkeys over username/password combinations. There’s also good reasons not to, since multifactor authentication involving a username and password is reasonably secure. I think we have to be careful about how this technology is rolled out, in case we wind up in another “SMS Second Factor” situation, where trying to add a security control actually exposes an entirely new threat surface.