Passkeys Promised Security and Simplicity: Here’s Where They Fall Short

Passkeys Promised Security and Simplicity: Here’s Where They Fall Short

For nearly a decade, I’ve argued that passwords are a poor security measure, and I was an eager advocate for the much more effective method of using passkeys.

Passkeys were designed to fulfill the dream of a security approach that is not only more secure than passwords but also user-friendly enough for widespread adoption. However, a recent article highlights four major challenges associated with this technology…

Passkeys offer better security than passwords

Passwords come with various security vulnerabilities:

  • Websites may have access to them, even if they’re supposedly encrypted.
  • Many users tend to reuse passwords, making data breaches especially concerning.
  • Passwords are susceptible to phishing attacks.

Passkeys effectively address these issues. Instead of entering a username and password to log in, users are prompted to employ a passkey. The website or app then requests our device to authenticate us via Face ID or Touch ID. The device confirms our identity to the website.

The web server trusts your device for authentication in the same way that payment terminals rely on your iPhone or Apple Watch for Apple Pay transactions—because it has verified your identity locally through biometrics.

In theory, passkeys simplify the process

When setting up an account, users should have the option to use a passkey, requiring just their consent. The device will authenticate them, and the service will create the account. Next time they log in, they simply use Face ID or Touch ID to access their account.

However, there are four significant issues

If you exclusively use Apple devices and browse with Safari, passkeys come close to being straightforward. iCloud synchronization ensures that an account created on one Apple device is accessible across all others.

Nonetheless, as Arstechnica notes, numerous situations reveal a stark contrast between expectations and reality, particularly concerning inconsistent user experiences.

For instance, logging into PayPal with a passkey on Windows will differ from doing so on iOS or even on Edge for Android. Moreover, attempting to log into PayPal using a passkey on Firefox is futile since the payment site doesn’t support that browser on any OS.

Moreover, passkeys are tied to specific browsers.

As another illustration, when I set up a passkey for my LinkedIn account in Firefox, I’ve opted to sync it using the 1Password password manager due to my diverse browser usage. In theory, this setup allows me to access the passkey wherever I can log into my 1Password account, which wouldn’t be possible otherwise. However, it’s not so straightforward. Looking at the LinkedIn settings, the passkey appears to be created for Firefox on Mac OS X 10, despite functioning across all the browsers and platforms I’m using.

A third concern is that companies like Google and Apple may effectively compel you to utilize their specific passkey management systems, even when you prefer different options and may already have a passkey configured.

For instance, I want to access LinkedIn using the passkey synced by 1Password across my devices. Yet, somehow, the unspecified entity behind this message (in this case, Google) has taken over the process, attempting to push me towards its platform.

Additionally, consider the user experience on WebAuthn.io, a site demonstrating how the standard operates under various conditions. When a user wishes to enroll a physical security key for logging in on macOS, they are met with a prompt that nudges them to choose a passkey instead and sync it via iCloud.

Lastly, while passkeys are meant to eliminate the security flaws posed by passwords, nearly every service still requires users to create a password login.

Out of the countless sites that support passkeys, there’s not one I know of that allows users to abandon their password entirely. The password remains a necessity […] Threat actors will develop hacks and social engineering tactics to exploit this vulnerability. We would find ourselves back where we started.

The complete article is definitely worth a read.

Photo by TheRegisti on Unsplash

: . More.