FIDO Alliance

Passkey Central

Authenticate Conference

Passkeys Are Not Broken. The Conversation About Them Often Is

Nishant Kaushik, Chief Technology Officer, FIDO Alliance

Every few months, like clockwork, a talk or article appears claiming that new research has uncovered a “vulnerability” with passkeys.  This can understandably raise concern for executives and product leaders looking to uplift their authentication frameworks. But these reports have a pattern: they highlight opportunities for exploitation in the environment where passkeys are used, not any vulnerability in passkeys themselves.

Passkeys are FIDO authentication credentials that leverage public key cryptography. The authentication protocol relies on the user having control of their private key, which is generated on the user’s device (their smartphone, their FIDO Security Key, etc) and is never shared with the service they are authenticating to (all the service receives and saves is the corresponding public key). That design makes passkeys inherently resistant to phishing, credential stuffing, and large-scale data breaches. Breaking the security model of passkeys would require stealing the private key itself, something cryptographically and practically infeasible without compromising the device in some manner. 

Where the “Breaks” Actually Happen

When researchers announce they’ve “broken passkeys,” what they usually mean is that they’ve compromised something else in the operational environment:

  • Browser vulnerabilities that let malicious extensions hijack sessions or impact user behavior.
  • Device compromises where malware takes control of the endpoint.
  • Application weaknesses in how the authentication flow is integrated.

To be clear, these are real risks, but these are risks for any authentication solution (in addition to other secure tools such as encrypted messaging apps and VPNs). They are not flaws in passkeys themselves. Rather, they are examples of broader environmental compromise which can be mitigated with well-known security controls and policies that IT teams have been deploying for years.

Do Not Confuse Headlines with Reality: Passkeys Work as Intended

No reports have found vulnerabilities in the cryptography or the technical standards underpinning passkeys. What’s being demonstrated by researchers are scenarios where, if the user’s environment is already compromised, attackers may be able to misuse otherwise secure credentials or circumvent the secure authentication process. That’s a meaningful security discussion, and a good reminder that while passkeys are the gold standard for secure authentication, they don’t eliminate the need to have a comprehensive security program. 

Our Commitment to Security and Research

The FIDO Alliance is deeply committed to advancing security through ongoing research, rigorous testing, and collaboration with our members and the broader security community. Our members are actively exploring the impact of emerging technologies like post quantum cryptography, and emerging threats like deepfakes. We also welcome engagement with security researchers who approach their work responsibly, as constructive collaboration helps us strengthen our specifications, certification programs, and implementations. Sensationalist headlines may help a few to market their products or services, but the real win for strong, phishing-resistant authentication is when we combine forward-looking research with open, responsible dialogue. That’s at the heart of the Alliance’s ethos.

The Bottom Line

For anyone responsible for product, security, or compliance, here’s what this means when it comes to adopting passkeys:

  • Stay focused on fundamentals: Passkeys eliminate entire classes of attacks (phishing, credential theft, reuse) that drive the majority of breaches today.
  • Adopt thoughtfully: Pay attention to the integration and rollout plans, following guidance and best practices with special attention to fallback models.
  • Pair with environmental protections: Continuing to strengthen your security program remains essential, especially focusing on strong endpoint security, browser governance, and app hardening.
  • Lean on certification: Certified implementations ensure consistency and reduce integration risk across platforms and devices.

Passkeys represent one of the most significant advances in digital identity security in decades, and they work as intended. Headlines suggesting otherwise often sensationalize research that demonstrates something we’ve known forever: no system is immune if the environment it runs in is compromised. Passkeys remain the best path forward to reducing fraud, lowering breach risk, and building customer trust in a digital-first world. 

Type:
More

FIDO Alliance and Data Security Council of India Join Forces to Promote Stronger Authentication Standards in India

FIDO India Working Group Launched to Further Drive Local Market Engagement New Delhi, India and…

Read More →

Why Strong Authentication is a Critical Requirement for Improving Critical Infrastructure Cybersecurity

Brett McDowell, executive director, FIDO Alliance Many private and public sector organizations look to NIST’s…

Read More →

FIDO Certified Products Reach 335: How to Make the Most out of Certification

Adam Powers, technical director, FIDO Alliance The FIDO ecosystem – the world’s largest for interoperable,…

Read More →

Previous 16263646566 Next