Free trial

Pros and cons of passkeys: Security benefits outweigh risks

Cybersecurity and strong authentication
Jackie Comp,
passkey security outweighs edge use cases
Summary
The pros and cons of passkeys show that while edge cases exist, the security benefits far outweigh the risks. Passkeys deliver phishing resistance and ease of use, making them a transformational upgrade over passwords. By replacing passwords with passkeys, organizations significantly reduce their attack surface and improve user experience without compromising security.

New technologies, especially those that are transformational, get scrutinized – that’s normal. The benefits need to be carefully understood along with any potential drawbacks. The danger to progress however, results from an imbalance in focus… when we place too much emphasis on edge cases at the expense of all the benefits.

We miss the forest for the trees.

Passkeys are a perfect example. Passkeys (aka passwordless FIDO credentials) are transformational as an authentication approach. They are phishing-resistant, easy to use, and future proof (open standard supported by the ecosystem). While they are still new to most users, passkeys will quickly become the preferred method of authentication in the same way most users happily adopted Touch ID and Face ID when offered for app sign-in.

Why are passkeys more secure than passwords?

Simply put, passkeys deliver stronger security with a simpler sign-in experience:

  • Passkeys cannot be “phished” (there is no “secret” to share).
  • Fake sites (adversary-in-the-middle attacks) will fail because they do not have the appropriate private key to impersonate a user.
  • Attacks don’t scale because the attacker must physically have the user’s device where the private key is stored, as well as their user verification method (fingerprint, face recognition, etc.).
  • Users don’t need to remember complex passwords – they can authenticate with a quick swipe or glance at the camera. The complexity of the private/public keys stays behind the scenes.

Potential security risks are rare scenarios

Although passkeys are vastly more secure and greatly improve the user experience, the attention seems to be focused on the “edge cases” that make them not “perfect”.

  • Edge case #1: Unclear how the synced key is protected. What if it is compromised? Synced passkeys may be stored by platform providers like Apple and Google, or they may be protected by password managers. That is no different from passwords. The big difference, however, is that passwords can be easily phished and stolen. While password managers can help prevent phishing, not everyone uses one. Also, the relying party cannot tell if they are using a password manager or how strong the password really is. With passkeys the phishing resistance doesn’t depend on user behavior. It is guaranteed by the standard. And to steal someone’s passkey you’d have to take over their account or trick a provider to restore a key to your device, which is orders of magnitude more difficult to achieve. Is it possible, yes, but the current risk with passwords is far greater.
  • Edge case #2: The transport security of the keys is unknown. The protocol may be proprietary to the provider, however the large providers strongly encrypt the passkeys and synchronization of passwords to the cloud uses proprietary protocols, too.
  • Edge case #3: The key may have been shared (AirDropped). This is true, a user can AirDrop their passkey to another user. It is also true, however, that someone can just as easily share their password. And, unlike passkeys, passwords can be easily guessed making them much more vulnerable.

Edge cases don’t overshadow passkey security benefits

Understanding risk is important, but not at the expense of gain.

Imagine all the doors and windows in your house with flimsy padlocks that can be easily snapped off with one kick. You have the opportunity to replace them with a high-security deadbolt system that is resistant to being kicked in. However there is one very tiny window on your third floor that would require a 30-ft ladder and gymnastics across your roof for a thief to reach, but it cannot leverage the new lock system. Since you can’t secure that one window, you decide not to secure any of them.

That’s missing the forest for the trees.

The bottom line is even if you change nothing else, you are greatly reducing your attack surface by implementing passkeys to replace passwords wherever possible. For regulated markets that typically require MFA with strong device binding, you can combine device-bound passkeys with synced passkeys, creating a trust anchor to deal with the third-floor window.

One-time passwords (OTPs) will continue to serve important use cases, particularly in regulated or high-assurance scenarios. But passkeys are shifting the foundation toward stronger, more seamless authentication for everyday sign-ins.

Passkey security whitepaper
White paper

Passkey security

In this white paper, explore the core security properties of passkeys and how to assess differences across passkey types and authenticator implementations.

Read the white paper
Jackie Comp
Jackie Comp

Jackie Comp has over 30 years’ experience in sales leadership in the high-tech industry ranging from early-stage companies to large global organizations. Most recently she was VP Global Sales at Nok Nok before being acquired by OneSpan. Prior to Nok Nok, she ran strategic sales operations for the global channel organization at Symantec. Prior to Symantec, she was at PGP leading the global partnership with IBM. She also held positions as VP Sales for two early-stage companies, FitLinxx, and

Contents
Sign up for OneSpan updates
Share