Passkeys won’t save you (unless you fix identity sprawl and recovery loopholes)

By Ash K
Passkeys won’t save you (unless you fix identity sprawl and recovery loopholes)

Opinion: Passkeys are the best mainstream step we’ve taken against credential phishing. But enterprises rolling out “passwordless” are discovering an uncomfortable truth: you can remove passwords without removing the pathways attackers actually use.

The three gaps that keep breaking “passwordless”

  1. Recovery is the new password. Email/SMS recovery, help-desk resets, and “trusted device” prompts are routinely weaker than the auth you replaced. Attackers don’t need your password if they can socially engineer a reset.
  2. Device trust drift. Passkeys assume a device posture you may not enforce. Stale MDM enrollment, unmanaged BYOD, and cloned VMs turn “something you have” into “something anyone can import.”
  3. Consent ≫ credentials. Over-permissive OAuth scopes, app-issued tokens, and long-lived refresh tokens let attackers persist after initial access—no password required.

What a real enterprise passkey program looks like

  • Recovery hardening: remove SMS/email backup; require phishing-resistant factors for recovery; script help-desk runbooks that verify hardware key presence + HR system match.
  • Strong device binding: bind passkeys to managed devices; enforce device attestation and posture (OS version, disk encryption, secure enclave availability) at sign-in.
  • Kill legacy fallbacks: disable “less secure” protocols, basic auth, and app passwords; block non-modern clients with Conditional Access.
  • OAuth hygiene: limit high-risk scopes; require admin consent only for pre-approved apps; rotate and revoke refresh tokens at role changes.
  • Break-glass that doesn’t break everything: store two hardware keys in separate escrow; audit their use; simulate loss scenarios quarterly.
  • Measure outcomes, not rollout: track phishing incidents, help-desk resets, and risky sign-ins per 1k users—not just “% on passkeys.”

Bottom line: Passkeys eliminate a massive class of attacks, but only if recovery, devices, and tokened apps are held to the same standard. Treat identity as a system—with the weakest step as your design target.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.