Passkeys are getting ready to take over - but how locked in will you be?

 Visual representation of a passkey on a computer chip.
Visual representation of a passkey on a computer chip.

Passkeys have been a common presence in the news recently, as an ever-increasing amount of services are suppoting their use. They are thought to be both safer and more convenient than passwords, which are routinely stolen and used by threat actors to wreak havoc to many businesses.

Apple was one of the first big names to adopt them, followed by the other tech giants, such as Google and Microsoft. All are board-level members of the FIDO Alliance, which sets the technological standards for their use.

And herein lies one of the passkeys' central problems: since the private portion of the cryptographic key is stored on device, big tech seems to have seized the opportunity to keep their users locked into their respective ecosystems, not making it possible to use them cross-platform. However, the situation does appear to opening up somewhat, but there are still concerns about their entrenchment, as well as some possible safety concerns too.

New adopters

For a while, BestBuy, eBay and PayPal were the only prominent consumer services, barring the tech giants, that let users login with passkeys. But recently, others have joined the party, with the likes of X (formerly Twitter), WhatsApp, and GitHub taking them onboard.

Microsoft has also recently announced expanded support for passkeys in Windows 11, and with Apple now allowing passkeys to be managed by third-parties on its new iOS 17 platform, popular password managers 1Password and NordPass have done too.

These last two are perhaps the most important adopters, since one of the big selling points of third-party password managers is cross-platform compatibility. By storing a passkey with a password manager, rather than directly with Apple, Google, or Microsoft, users can deploy their passkeys on any system or device supported by the manager.

The big tech companies have made concessions among themselves in this regard, in fairness. For instance, Apple's proprietary iCloud Keychain is now available in Chrome 118, so passkeys created on an iOS device can be used on Google’s market-leading browser - only on Macs, however.

It would be wise for big tech to continue this trend of untethering users, since nobody likes to be beholden to a single company so completely, with no easy way to cut loose. This is especially true for businesses, who may want to switch their software and environments on a dime, and want the least amount of friction when doing so.

Other concerns

One of the much-touted USPs of passkeys is their resistance to phishing. Since there are no credentials that anyone knows, they’re isn't a way for scammers and fraudsters to extract the key out of you.

The only problem is, biometric data can be stolen, such as you fingerprints, which is often used to authenticate the use of your passkeys.

In a recent report from NordVPN, it discovered 81,000 fingerprint records on sale all over the dark web. It is not yet clear how this biometric data could be used by bad actors, but it's never wise to underestimate the tenacity and ingenuity of cybercriminals, especially when there are serious rewards at stake.

If they can gain remote access to your device, and find a way to make use of your stolen biometric data, perhaps they could use your passkeys themselves. And, as NordVPN pointed out in its report, unlike a password, your fingerprint can't be changed in the event of compromise.

Passkeys are also new, so teething problems are to be expected. As GitHub explained in their announcement, Linux systems and the Firefox browser both didn't appear to play too nicely with passkeys, so a workaround was needed. So if passkeys were to remain closed to specific systems, problems such as these would hamper their progress and prove a real inconvenience to users.

But despite these negatives, passkeys are almost certainly a better choice than passwords, given the fact that most people, unfortunately, still maintain the worst practices possible when using them, opening themselves up to a world of trouble. And at some point in future, you probably won't have a choice. That isn't necessarily  a bad thing - as long as they are kept as open and cross-platform compatible as possible.