Passkeys aren’t perfect after all, researchers warn of potential security risks

Passkeys face fresh scrutiny

Passkeys were introduced as a simpler, safer alternative to passwords, letting people sign in with biometrics or device-based approvals. But security researchers are now warning that passkeys may not be the flawless solution many expected.

Recent tests by security researchers (notably SquareX at DEF CON 2025) show passkey workflows can still be intercepted or tricked via malicious browser extensions or scripts under certain conditions.

This has raised questions about whether users and companies are adopting them too quickly without understanding the risks. The technology promises progress, but it also brings its own new vulnerabilities.

How passkeys actually work?

Passkeys rely on public key cryptography, with one key stored on a user’s device and the other with the service. This makes it harder for attackers to steal credentials through phishing or database leaks.

Instead of typing in a password, users confirm their identity using a fingerprint, facial scan, or device unlock code. While this approach removes many common threats, researchers say attackers are already finding ways to bypass the protections in certain situations.

Growing adoption across tech giants

Apple, Google, and Microsoft have each promoted passkeys as the future of secure logins. Several major platforms are experimenting with or integrating passkey support, alongside traditional password‑based login, encouraging customers to make the transition where available.

While adoption is steadily increasing, researchers now argue that the enthusiasm may be outpacing the caution needed to fully understand potential weaknesses. The push from these tech leaders shows momentum, but it also puts responsibility on them to address new flaws.

Risks in device synchronization

One of the main benefits of passkeys is the ability to sync across devices through cloud backups. For example, Apple uses iCloud Keychain to make them accessible on different iPhones and Macs. But this convenience also creates a weak point.

If an attacker gains access to a synced account, they may be able to duplicate or steal the passkey. Security researchers point out that while syncing improves usability, it may undo some of the system’s intended safety features.

Trouble with shared devices

Passkeys work best when a device is truly personal, like a smartphone with biometric authentication. However, the model becomes less reliable on shared or family devices. Multiple people using the same computer could open the door to unauthorized access.

Researchers warn that in corporate settings where devices are passed around, passkeys may not provide the level of certainty companies expect. Without a clear separation between users, the technology could leave sensitive accounts vulnerable.

Phishing risks still remain

While passkeys are designed to be phishing-resistant, researchers discovered that targeted attacks can still trick users. Fake prompts that mimic legitimate biometric requests can capture approvals if people are not paying close attention.

This undermines one of the strongest selling points of passkeys. Instead of eliminating phishing completely, the system may simply shift where attackers focus. For users, it means staying alert is just as important as with traditional password-based logins.

Dependence on device security

Passkeys are only as strong as the devices that store them. If a phone or laptop is infected with malware, attackers may gain access to the local keys and bypass protections. This creates a situation where even advanced login methods can be compromised by a single weak link.

Experts emphasize that device hygiene, including software updates and antivirus protections, remains a critical part of keeping passkeys safe. The technology does not replace broader digital security practices.

Legal and regulatory concerns

The growing use of passkeys also introduces new legal questions. In the event of fraud, it may be difficult to determine whether a user authorized a transaction or if a biometric prompt was manipulated.

Observers suggest that as passkey adoption increases, particularly in regulated sectors such as banking, legal frameworks may need to evolve to address issues such as user consent, liability in biometric prompt manipulation, and authentication disputes.

Limited support across platforms

Although adoption is expanding, not every app or website supports passkeys. This creates gaps where users still fall back on old passwords. Switching between the two systems can be confusing, weakening the overall security promise.

For example, if a site only partially supports passkeys, attackers may exploit the weaker login option. Experts stress that until passkeys are widely and consistently supported, they will remain an incomplete replacement rather than a full solution.

Risks in account recovery

Account recovery remains one of the trickiest parts of the passkey system. If someone loses their device and backup, regaining access can be difficult. Attackers may exploit these recovery processes by pretending to be legitimate users.

Researchers highlight that recovery systems are often the softest target in any login method. Without stronger safeguards, passkeys may still leave open a back door for hackers to exploit when people lose access to their devices.

The challenges for enterprises

For large companies, moving to passkeys is more complex than it appears. Enterprises must support thousands of employees with different devices and levels of tech comfort. Managing lost devices, syncing across work accounts, and handling shared access are all challenges.

Security researchers warn that until these enterprise use cases are carefully addressed, businesses should not rush into replacing all passwords with passkeys. Corporate IT policies may need to evolve before widespread adoption becomes safe.

A push for hybrid approaches

Given the limitations, some experts recommend a hybrid model that combines passkeys with additional protections. Multi-factor authentication, hardware tokens, and strong device security can help close the gaps.

This approach accepts that no single solution is perfect, but layering defenses can reduce risks. Hybrid models may be especially important during this transition period when passkeys are still maturing. For now, relying on passkeys alone may be a riskier move than many companies realize.

What users can do today?

For everyday users, the most important step is to stay aware of how passkeys work and their limits. Using strong device security, enabling biometric protections, and avoiding shared logins can reduce exposure.

Experts recommend treating passkeys as a helpful tool but not a complete replacement for caution. Since adoption is still growing, people should be ready to use a mix of logins depending on what different services support. Awareness remains the best defense.

Industry response to warnings

Tech companies behind passkeys have acknowledged some of the concerns but remain confident in the technology’s long-term potential. Apple, Google, and Microsoft emphasize that the system still reduces many of today’s biggest risks, including password theft and large-scale leaks.

However, security researchers say these reassurances should not overshadow real flaws. Industry leaders face pressure to refine and strengthen passkeys before encouraging even wider adoption. The balance between innovation and caution is still being debated.

The future of passwordless logins

Despite the warnings, experts agree that passwordless logins are the future. The convenience and security improvements are significant, even if the technology still needs refinement. Over time, standards will likely improve, reducing some of the risks identified today.

For now, users and businesses should approach adoption with a careful eye, balancing enthusiasm with preparation. Passkeys may not be perfect yet, but they represent an important step toward a safer way of logging in.

The move away from traditional passwords is speeding up across the tech world. Microsoft will end password logins for all users soon, showing how quickly the shift to stronger methods is becoming a reality.

The bigger picture for digital security

Passkeys are part of a much larger conversation about the future of online safety. They show how technology is evolving to keep pace with increasingly sophisticated threats. But as the research shows, every new solution carries tradeoffs.

Security is never static, and it depends as much on human awareness as on new tools. Google sees a big jump in AI search, reminding us that the digital world is rapidly changing in multiple directions at once.

Even as passkeys gain ground, one truth remains clear: passwords alone can’t protect you anymore. Why your passwords are useless without MFA & 2FA explains why layering security is still essential.

What do you think about this? Let us know in the comments, and don’t forget to leave a like.

Read More From This Brand:

• Facebook rolls out passkeys to fight back against phishing attacks
• How Encryption Shapes Our Everyday Security
• How to Check If Your Phone Was Hacked

Don’t forget to follow us for more exclusive content right here on MSN.

If you liked this story, you’ll LOVE our FREE emails. Join today and be the first to get stories like this one.

This slideshow was made with AI assistance and human editing.