Overview
Security experts are warning against using passkeys for data encryption because users frequently lose their passkeys, creating a fundamental conflict between authentication security and data recovery. The industry should limit passkeys to their intended purpose as phishing-resistant authentication credentials.
Key Arguments
- Passkeys should only be used for authentication, not data encryption because of frequent user loss: Users lose their passkeys all the time, and when passkeys are used to encrypt data, that data becomes irreversibly lost and unrecoverable
- The security benefit of passkeys conflicts with data accessibility needs: While passkeys excel as phishing-resistant authentication credentials, using them for encryption creates a user experience problem where secure authentication leads to permanent data loss
Implications
Organizations risk creating unrecoverable data loss scenarios when they use passkeys for encryption instead of limiting them to authentication. This represents a fundamental misunderstanding of the technology’s appropriate use case and could undermine user trust when people permanently lose access to their encrypted data.
Counterpoints
- Enhanced security through encryption: Some might argue that using passkeys for encryption provides maximum security by ensuring only the user can decrypt their data
- User education can solve loss issues: Proponents might claim that better user education about passkey backup and recovery could mitigate the data loss problem