The Issue With Passkeys

Passkeys are a way to replace passwords and have heavy support in the tech industry including from heavy weights such as Google, Microsoft, Apple etc.

However, to use Passkeys, you need a mobile device.

And to make sure you don’t lose access to your keys, you need to store backups of your keys on a server in the ‘cloud’ (usually in the Google, Microsoft or Apple cloud).

Do you see the issues?

  • Storing the keys on the central server makes it that much easier for someone to hack them. Not to mention for any random Government agency to get to them – including foreign governments. Even encrypted, I wouldn’t want a third party to have access to my keys.
  • If you don’t have the right device, you can’t use them. This leaves out a lot of lower income folks who don’t have a mobile device.
  • What about young ones who need access to sites and services but don’t necessarily have a mobile device of their own?

And what if you do lose access to your device and keys? Will web services and apps allow you to enroll multiple keys so that you can use a different one if you lose access to your primary?

Or what if you only have one device and you lose it? Now you can’t even log into, say, your Apple or Amazon account to purchase or setup a new one. What’s the backup for this situation?

There there’s the ease by which a third party can just wipe your keys and lock you out of all your services simultaneously – this is just downright frightening. What’s to prevent a Government agency from bricking your device with malware and simultaneously legally preventing you from accessing your Cloud account to restore your passkeys?

The Passkeys idea is great. The implementation is suspect and puts even more control into the hands of central and/or corporate authorities.

I think I’ll stick with my long passwords, off-line password managers and 2FA apps until they pry them from my cold, dead, hands.

Posted in