A Defensive Computing Checklist    by Michael Horowitz

HOME | About | Domain Names | VPNs | Rules of the Road | DC Presentation | ChangeLog | Stats |

PASSKEYS

TOPICS BELOW
Why Not To Use Passkeys, Passkeys Changing, Passkeys Bad, Passkeys Good, Passkeys Balanced Evaluation, FYI

A passkey is a password that you are not allowed to know. Your phone knows it, but you do not.

WHY NOT TO USE PASSKEYS

Do not use passkeys. Here are some (not all) reasons why:

1. The passkey ecosystem is complicated. I have read articles and listened to podcasts from techies, people that normally understand these things, and they all have questions about how passkeys work. Using a system that you do not fully understand is like diving into a pool where you don't know how deep the water is.
2. If something goes wrong with passkeys, you will still need a password as a fallback mechanism.
   In December 2024, Dan Goodin described the current state of things: "Of the hundreds of sites supporting passkeys, there isn't one I know of that allows users to ditch their password completely. The password is still mandatory. And with the exception of Google's Advanced Protection Program, I know of no sites that won't allow logins to fall back on passwords, often without any additional factor. This fallback on phishable, stealable credentials undoes some of the key selling points of passkeys."
3. Unlocking an account using passkeys on a phone, increases the reliance on our phones for security. Phones inevitably get lost, stolen or broken, so passkeys makes the loss of a phone that much worse. If someone steals your phone and knows the code/pin to unlock it, that's very bad. If the phone unlock code also gives them access to all the services you use with passkeys that just makes things worse. Much worse. I suspect that many people who designed, and/or jumped on passkeys initially, live in low crime areas.
4. Passkeys is an example of techies designing things that work for them, but will not work for their parents or grandparents. An example of thinking inside the box.
5. Why are passkeys being pushed by Google, Apple and Microsoft? Really, why? Some have said the real reason is to lock you into their ecosystems. This makes all the sense in the world to me. Even in a year or two (I am writing this in May 2023), when passkeys are more widely available, I doubt that an Apple user will be able to use their passkey on an Android device or Windows PC. Time will tell.
   Update September 2025: There are now password managers that can handle passkeys and they can be used to bridge the gap between Google, Apple and/or Microsoft operating systems. However, you are locked into the password manager, there is no way to export passkeys from one password manager to another.
6. To truly get the security improvement offered by passkeys, a system/website has to only accept passkeys and not use passwords as a backup system. Don't hold your breath waiting for systems that only accept passkeys.
7. For passkeys to catch on, the vast majority of websites that now accept passwords, will need to be updated to also accept passkeys and then, eventually, to only accept passkeys. And, there are many computer systems that are not websites and they too need to be upgraded to support passkeys. To me, this seems impossible.
8. Passkeys are built on the assumption everyone has a smartphone. People who don't, who get Internet access at a Library, are not allowed to play the passkey game.
9. Even if passkeys are the future, the ecosystem for them will not mature for many years (as of May 2023). Maybe it will never mature.

PASSKEYS CHANGING   top

• June 12, 2025: Coming to Apple OSes: A seamless, secure way to import and export passkeys by Dan Goodin of Ars Technica.
  CURRENT STATE OF AFFAIRS: Passkeys created on one operating system are largely swimming in a single fishbowl. For example, a passkey created on a Mac, can sync with other Apple devices connected to the same iCloud account. But, transferring them to a Windows device or even a password manager installed on the same Apple device, has been impossible. More than just an annoyance, this lock-in raises the risk of getting locked out of accounts if a device storing passkeys (usually a smartphone) is lost, stolen, or destroyed. This is one of the biggest shortcomings of passkeys to date
  NEW: Apple just demonstrated a passkey import/export feature that should be available in the next major release of their Operating Systems (iOS, macOS, iPadOS, visionOS). Apple is using a standard way of doing this, not their own propietary method. Time will tell how many companies adopt this.

PASSKEYS BAD   top

• September 30, 2025: How to Use Passkeys With Google Password Manager by Jacob Roach for Wired. Like the article below, this one clearly belongs in the passkeys bad list. Quoting: "Google wants you to start using passkeys [and] store passkeys in the Google Password Manager service. For websites that support the login method, Google now allows you to generate, store, and sync passkeys. The problem is actually finding a consistent way to do it. It's easy to change your password, but it is not so easy to add passkeys to an account you've already created, much less manage them solely in your browser. Still, you can use passkeys with the Google Password Manager on supported websites; you'll just need to jump through a few hoops first." After a review of the bad user experience, the article suggests storing passkeys in a password manager.
• August 19, 2025. Although the article title says it is just explaining what passkeys are, I think its fair to put this in the "Passkeys Bad" section. What Are Passkeys - and What Do You Need to Know About Using Them? by Sean Captain for the Wall Street Journal. The article is in an FAQ format and brings up many issues that put the lie to the claim that passkeys are easier to use than passwords.
  • Will my passkey work across platforms? Probably not.
  • Am I forever locked into a passkey manager? For now, yes.
  • Do I have to install or update software to use passkeys? Maybe.
  • How do I set up a passkey on a site or app? It varies.
  • Can I have multiple passkeys for one account? Maybe.
  • Can I share passkeys with family, friends or colleagues? Probably not.
  • What if I set up my passkeys on a device like my phone and then lose it? The question is not really answered in the article. Suffice it to say, much depends on whether the passkeys were backed up to the cloud or not.
  • What if I get locked out of my passkey manager? It varies, depending on the passkey manager.
  • How many sites take passkeys? Quoting: "Currently, not many."
• July 22, 2025: Passkeys won't be ready for primetime until Google and other companies fix this by Jack Wallen for ZDNet. Quoting: "On paper, passkeys are great. They make logins more secure and easier. On paper. In reality… not so much ... Simply put, passkeys are not ready for the average user. Until Google (and every other company employing this technology) can figure out a seamless way of creating and using passkeys, they should consider them in beta. I get it, I really do. Usernames and passwords are obsolete. They're simple to crack because they allow users to be lazy with their credentials. But until passkeys can be easily created and used, this so-called passwordless alternative will accomplish nothing but infuriate people."
• January 15, 2025: Passkeys: they're not perfect but they are getting better from the British National Cyber Security Centre. This is an excellent article from an organization that is in favor of passkeys, yet they point out many current problems. Quoting: "... the NCSC believes they are the future of modern authentication. However, there are still some significant bumps in the road ahead. Here we set out the case for mass adoption of passkeys and outline the remaining issues which are hindering their widespread implementation."
  • They argue that passkeys are both more secure and more convenient. This is not true. Nothing can ever be both more secure and convenient. The two concepts have always been at odds and always will be.
  • There are two major flavors of passkeys (came as news to me): device-bound (that never leave the device) and "synced" passkeys that live in a Password Manager which backs them up and syncs them across multiple devices. Some websites support synced passkeys, while others only support device-bound passkeys.
  • Saving a passkey in a Password Manager sounds great, until you decide to use different Password Manager software. "This is currently challenging to do..."
  • Different software companies use different terminology for the same thing. Quite confusing, espectially to a newbie.
  • Quoting: "To trust passkeys as a replacement for the password, users need to be prepared and know what to do in the event of losing one – or all – of their devices." This one of a number of problems/issues with passkeys where the NCSC points out that users need to be educated. This is fatal. User education will never happen. Anything that requires user education is doomed to fail.
• December 30, 2024: Excellent article: Passkey technology is elegant, but it's most definitely not usable security. by Dan Goodin for Ars Technica. The author sums up his own long article: "In short, there are too many cooks in the kitchen, and each one thinks they know the proper way to make pie." Some other quotes from the article:

  When I wrote about passkeys two years ago, I was a big believer. I remain convinced that passkeys mount the steepest hurdle yet for phishers, SIM swappers, database plunderers, and other adversaries trying to hijack accounts ... Unfortunately, as support has become ubiquitous in browsers, operating systems, password managers, and other third-party offerings, the ease and simplicity envisioned have been undone - so much so that they can't be considered usable security
  
  Passkeys are now supported on hundreds of sites and roughly a dozen operating systems and browsers. The diverse ecosystem ... has also fostered a jumble of competing workflows, appearances, and capabilities that can vary greatly depending on the particular site, OS, and browser (or browser agents such as native iOS or Android apps). Rather than help users understand the dizzying number of options and choose the right one, each implementation strong-arms the user into choosing the vendor's preferred choice The experience of logging into PayPal with a passkey on Windows will be different from logging into the same site on iOS or even logging into it with Edge on Android. And forget about trying to use a passkey to log into PayPal on Firefox. The payment site doesn't support that browser on any OS.

• October 14, 2024: Can Passkeys Replace Passwords by Bruce Davie. An excellent article that sees both pros and cons of passkeys. Mr. Davie does not expect passkeys to succeed. Quoting: "... if a website adopts passkeys without disallowing subsequent login attempts by password, then the system remains roughly as vulnerable to phishing attacks as it was before. A savvy user might detect that they are being phished if they are suddenly being asked for passwords after using passkeys for a long time, but any time we rely on the judgment of users to detect security attacks we are bound for disappointment. It bothers me to read blog posts from seemingly credible sources that don't address the fact that passkeys are being added in addition to passwords but not (yet) replacing them ... My last concern about passkeys is that the implementation seems to have failed the 'make it easy for users' test, which in my view is the whole point of passkeys. I have been using public key cryptography for 30+ years ... Surely the reason for yet another technology based on public key cryptography is to simplify its use. If I find passkeys confusing to use, it doesn’t bode well for more typical users."
• September 9, 2024: Passwords have problems, but passkeys have more by David Heinemeier Hansson, CTO of software development firm 37signals. Quoting: "The problem with passkeys is that they're essentially a halfway house to a password manager, but tied to a specific platform in ways that aren't obvious to a user at all, and liable to easily leave them unable to access their accounts ... Much the same way that two-factor authentication can do, but worse, since you're not even aware of it ... Even in the best case scenario, where you're using an iPhone and a Mac that are synced with Keychain Access via iCloud, you're still going to be stuck, if you need to access a service on a friend's computer in a pinch. Or if you're not using Keychain Access at all .... If you're going to teach someone how to deal with all of this, and all the potential pitfalls that might lock them out of your service, you almost might as well teach them how to use a cross-platform password manager like 1Password ... Yes, passwords have problems ... But just because we have a real problem doesn't mean that all proposed solutions are actually going to be better. And at the moment, I don't see how passkeys are actually better ... Passkeys seemed promising, but not all good intentions result in good solutions."
• April 8, 2024: Big Tech passkey implementations are a trap by Son Nguyen Kim of Proton. Quoting: "This article looks at passkeys' initial promise, how Big Tech has tried to hijack them to serve their own purposes, and how we can ensure passkeys fulfill their potential for everyone ... We recently announced that Proton Pass now supports passkeys for everyone across all devices. Universal compatibility is a unique approach to implementing passkeys, unfortunately. Even though passkeys were developed ... to replace passwords and are meant to provide 'faster, easier, and more secure sign-ins to websites and apps across a user’s devices', their rollout hasn't lived up to these lofty ideals. Instead, the first organizations to offer passkeys, Apple and Google, prioritized using the technology to lock people into their walled gardens ... This closed approach diminishes the value of passkeys for everyone and makes it less likely that they’ll be universally adopted ..."
• This May 2023 article by Jared Newman is one that I mostly agree with: Passwordless logins are a confusing mess. The article says that a goal of passkeys is to make account logins easier. But, by definition, this means less security. In the article, the issue of not having your phone assumes it was lost. But, what if the phone was stolen? Bad guys may unlock your phone by forcing you to look at it or force you to press your finger on it. Or, if the phone unlock code is all that it takes to access the passkeys, they may just watch you unlock the phone, note the code, then steal your phone. Some quotes:
  1. Getting rid of passwords will be a long, messy, and occasionally maddening process, especially without clearer documentation and guidance from the companies involved.
  2. All of this falls apart when you try to start using passkeys in earnest. The technology is so new that every website handles it differently, and things that are supposed to just work often don’t.
  3. I have a pretty solid handle on technology, and I still find this to be overwhelming.
  4. As of now, none of the systems' biggest backers have provided clear documentation on what happens if you phone goes missing. ... In Google’s latest post about adding passkey support, the possibility of losing your phone doesn't even come up, and its support page offers no guidance for users who've lost all their devices.
  5. All of this, by the way, is separate from the 'Sign in with Google' and 'Sign in with Apple' buttons that are already ubiquitous around the web. While those options are also passwordless, they're separate from this new passkey system that's now being created.

PASSKEYS GOOD   top

• September 3,2025: How Passkeys Work - and How to Use Them by Jacob Roach for Wired. The article reads like a paid commercial, all good, no bad. Yeah, sure. To achieve this, it has to avoid the issue of a phone witt passkeys on it being lost or stolen or broken. It sells the fantasy that passkeys are both easier to use and safer. At least it does admit that passkeys are normally locked to a vendor: a passkey created on an iPhone can not be used on an Android device, for example. Even passkeys stored in one password manager can not be moved to another password manager. To use a passkey on Windows, you have to use Windows Hello. How is that a good thing?
• January 15, 2024: Passkeys: the promise of a simpler and safer alternative to passwords from the UK National Cyber Security Centre (NCSC). Just the upside, none of the downside.
• This May 2023 article in Ars Technica Google passkeys are a no-brainer. You’ve turned them on, right? by Dan Goodin is supposed to argue that passkeys are great. I think Goodin is completely wrong. As I read this article, I ended up with a many questions. Rather than being a good thing, the article, in my opinion, shows passkeys as a bad thing.
  Update: In December 2024, Goodin wrote a follow-up article (linked to above) that was quite negative about passkeys.
• This May 2023 article in the Wall Street Journal by Nicole Nguyen also argues for passkeys. Hate Passwords? It’s Time to Try Passkeys. But, to me, the case is weak. Moreso, the article reminds me of something I have said for decades: "Don't take computing advice from the Wall Street Journal any more than you would take investing advice from Computerworld magazine." And, the article makes many factual mistakes, such as:
  1. Even the title of the article is false. It is absolutely not the time to try passkeys. Far far from it. This is not a matter of opinion, it is a fact.
  2. Nguyen claims passkeys are both easier and safer. Nothing that is easy is either safe or secure. Never has been, never will be. The two concepts are always at odds.
  3. Nguyen says that a passkey is "an encrypted bit of software code". It is not. A passkey is a number, not software code.
  4. The article says that a passkey lives in a password manager. This is literally true, for now, but they do not live in what most people know as password managers. KeePass, for example, can not handle passkeys.
  5. The article says "the key only lives on your device (a phone or laptop, for instance)". This assumes we only have one computing device. If you have both an iPhone and an iPad they should end up on both devices. This also shows a lack of understanding of the technology. The passkey on your device is part of a pair of numbers. One stays on the server for the system you are trying to deal with, the other stays on your devices. This is a big contrast with passwords.
  6. The article says passkeys are easier than 2FA. Again, anything easier is less secure. And is it really easier? That is a matter of opinion.
  7. The article suggests testing passkeys on the webauthn.io website. I did, on a Windows PC. The site failed to load at all using the Mullvad web browser. Using Brave, it wanted me to turn on Bluetooth which it said is required to use my passkey on a different device. What different device? Using Chrome, it said Bluetooth was required and stopped. Again, the issue of passkeys being easier to use is a matter of opinion.
  8. The article says "Passkeys already work with the password managers built into ... Google Chrome ... desktop web browsers". It did not for me. At least not without Bluetooth enabled. Why is Bluetooth needed? Neither browser said why.

A BALANCED EVALUATION   top

November 17, 2025: What Are Passkeys, and Who Should Be Using Them? by Jake Peterson for LifeHacker. Quoting: "Passkeys aren't perfect: In practice, they can be a bit complicated, especially when working across different devices . . . If you are not particularly tech savvy, or if you're not totally entrenched in one tech company's ecosystem, it might be a bit too early to go all-in on passkeys. ". The article points out that you can not export passkeys. Quoting again:

". . . you don't need to log into your accounts on the device that contains the passkey. If you're using a different device, say a friend's computer . . . you will have the option to use your trusted device to authenticate . . . You can choose to authenticate using the passkey device, which will trigger the account's site to present a QR code. You can scan the QR code on your iPhone, authenticate using Face ID, Touch ID, or your PIN, and you'll log in."

This is presented as a good thing. I see it as a bad thing. I see putting too many eggs in the basket of unlocking a phone. If a bad guy has your phone, there is a chance he can access all your passkey protected accounts. The bad guy could physically threaten you or simply watch as you enter the phone PIN before stealing the phone. A phone with passkeys that gets stolen and unlocked would make your life hell. You might as well have the master password for your password manager tattooed on your forehead. Also, if you lose a phone with passkeys, the recovery procedure will be different for every account. More hell.

FYI   top

The Security Now podcast of May 9, 2023 raised an interesting issue. Someone who does not own a computer or smartphone and uses the Library for their Internet access, can not use passkeys.

Copyright 2019 - 2025