The state of passkeys
Ars Technica’s senior security editor Dan Goodin breaks down where we are with passkeys going into 2025:
The security benefits of passkeys at the moment are also undermined by an undeniable truth. Of the hundreds of sites supporting passkeys, there isn’t one I know of that allows users to ditch their password completely. The password is still mandatory. And with the exception of Google’s Advanced Protection Program, I know of no sites that won’t allow logins to fall back on passwords, often without any additional factor. Even then, all but Google APP accounts can be accessed using a recovery code.
This fallback on phishable, stealable credentials undoes some of the key selling points of passkeys. As soon as passkey adoption poses a meaningful hurdle in account takeovers, threat actors will devise hacks and social engineering attacks that exploit this shortcoming. Then we’re right back where we were before.
This is a great and thorough look at this technology, disheartening as the truth of it is. The fundamental problem is that while the idea of passkeys is excellent, the implementation of it has been a mess. Every platform and site seems to have its own different way of handling the process, and what should be simple has instead become extremely confusing.
The passkey portability standard should help part of the problem, but overall there needs to be some standardization on how the passkey logins are implemented so that users aren’t befuddled.
And I’m not even restricting that to non-tech-savvy users. I’ve run into multiples sites where I have set up a passkey and it doesn’t work correctly. Just last night I was trying to log into iTunes Connect on my iPhone: iOS showed I had a passkey and offered to use it, but for some reason, the site kept throwing an error. Maddening.
That said, there are plenty of places where passwords vary in their implementation. (Please stop putting username and password fields on different pages, thank you.) We’re in the midst of a painful transition period, and while I’m glad to see so many sites and services embrace passkeys, the fine details are going to take longer to iron out than I’d hoped.