- Passkeys aim to replace passwords, but they aren't yet a perfect solution, cybersecurity experts tell ConsumerAffairs.
- Some issues with passkeys are how widely they are supported, how they aren't cross platform and how accounts with passkeys still have passwords that can be exploited.
- But passkey adoption is growing and if they replace passwords altogether, they will provide even better security for online accounts.
Passkeys have some kinks that need to be ironed out.
Since 2022, passkeys have emerged as a convenient, secure way to login through a PIN code, fingerprint or face instead of a password.
Passkeys, which are linked to devices such as a smartphone or computer, aim to solve the problems with passwords: Data breaches expose billions of passwords every year and people often use the same phrases or combinations, such as "admin" or "1234," that can be guessed.
More than 15 billion accounts now have the option to use passkeys, according to FIDO Alliance, an industry cybersecurity group that helped develop passkeys.
Image via Microsoft.But cybersecurity experts tell ConsumerAffairs there are issues with passkeys that need to be solved before they fully live up to their promise.
Namely, passkeys have a few compatibility challenges, they aren't cross-platform, they are tied to devices that can be lost and accounts with passkeys still require passwords that criminals can use to exploit accounts.
"For now, passkeys are an excellent leap forward but consumer education, robust device security and broader cross-platform support will be essential to ensure they deliver on their promise of safer, simpler authentication for everyone," Ensar Seker, CISO at cybersecurity firm SOCRadar, told ConsumerAffairs.
Accounts with passkeys still have vulnerable passwords
Passkeys are more convenient than passwords, but they can offer a "false sense of security" since they aren't yet disabling passwords, Roger Grimes, data-driven defense evangelist at cybersecurity firm KnowBe4, told ConsumerAffairs.
He said this means that hackers and scammers can still get people's passwords from data breaches or trick them into handing them over even if passkeys are activated.
"What you are really getting is a log-in method of convenience," Grimes said. "The attacker can still use your password so you haven't really increased the security on your account at all."
In May, Microsoft became the first major company to give consumer accounts, including for Outlook and Office, the option to disable passwords and use passkeys instead, saying all new accounts would be "passwordless by default."
But going passwordless comes with a catch: Microsoft users have to use an authenticator app, which verifies it is them logging in, to remove their password and use a passkey instead.
Still, having a passkey as an extra verification on top of a password adds more security, Andras Cser, principal analyst security and risk management at Forrester Research, told ConsumerAffairs.
"When passkeys replace passwords, they add additional security by ensuring a non-crackable, non-phishable, non-snoopable authentication credential," Cser said.
In response to the concerns around vulnerable passwords existing alongside passkeys, Andrew Shikiar, executive director and CEO of passkey-standards developer FIDO Alliance, told ConsumerAffairs that passkeys are a path to getting rid of passwords, are more secure and convenient.
"Every service provider that rolls out passkeys needs to determine for themselves the best approach for eventually eliminating passwords altogether," he said. "Some of our initial research showed that consumers are more likely to enroll a passkey if they know that they’re not “losing” their password — so maintaining that option may encourage broader passkey utilization ... "
Until passkeys are fully adopted and have replaced passwords entirely, some cybersecurity experts recommend that users enable multi-factor authentication, which can involve an authenticator app or a text message, to protect their accounts.
"This mean users are forced to use a mixture of passwords and passkeys until passkeys are adopted industry wide," Chris Hauk, owner of cybersecurity blog Pixel Privacy, told ConsumerAffairs. "Multi-factor authentication can be used to protect accounts until passkeys are available."
Passkeys can be device dependent and aren't cross platform
Passkeys work by having a public key and a private key.
The private key, stored on a smartphone or computer, provides the strong security.
For example, Windows 11 lets users have a PIN code to verify the passkey stored on the device to log onto supported online accounts, such as Outlook and Gmail.
But if a device is lost, the passkey can be, too.
"Passkeys can also sometimes be device dependent, which could be problematic if a device is lost," Pixel Privacy's Hauk said.
Microsoft and Apple do allow passkeys to be shared across devices using their operating systems. But passkeys on a Windows computer can't be natively shared with an Apple computer and vice versa.
For now, users who want to share passkeys across different operating systems will have to rely on third-party software, such as password managers from 1Password, Dashlane and Keeper, Forrester Research's Cser said.
"These password managers mean extra software subscription and operations cost for enterprises," he said.
Passkeys support is still improving
Major web browsers, such as Chrome, Safari and Edge, support passkeys, but support is still improving among browsers such as Firefox and Opera, depending on the operating system.
"Clearly there is a need for developers to add support; the pressure to do so will only increase," Ant Allan, cybersecuritry analyst at Gartner, told ConsumerAffairs.
Until passkey support is on all operating systems, browsers and devices, some users will face challenges using them.
"This means users could experience inconsistencies or limitations when trying to use passkeys across different devices and browsers, particularly outside the Apple and Google ecosystems," SOCRadar's Seker said.
In response, FIDO Alliance's Shikiar said that between 91% to 95% of operating system, device and browser combinations support passkeys, including even Chrome and Edge on Ubuntu Linux.
A list of all devices, operating systems and web browsers supporting passkeys can be found here.