There’s no question that the traditional username and password combination is a weak link when it comes to online security. For several years, experts have encouraged businesses to implement passkeys to overcome the pitfalls of traditional passwords, which have become increasingly vulnerable to cybercriminals.
However, researchers from Square X revealed some worrisome passkey weaknesses at the recent DEF CON 33 security conference. These flaws enable hackers to exploit workflows and circumvent the protections that make passkeys appealing, transforming what was once seen as a bulletproof way to ensure security into a potentially risky backdoor for trouble.
How Passkeys Work and Why They Aren’t Invincible
Passkeys control access to online platforms and data by relying on a pair of cryptographic keys, one public and one private. They allow user authentication without exposing sensitive data.
They work like this: When someone signs in to a website or app, the service keeps the public key, while the private key stays securely on the device. Instead of inputting a password, the user proves their identity with biometric authentication (like a fingerprint or face scan) or a device PIN. The system then verifies the match through a secure handshake between the two keys.
Because the private key never leaves the device, hackers can’t simply steal it through credential theft or phishing attacks, making passkeys far more resistant to traditional password-based exploits. The idea is that only your device can “unlock” access.
The problem is that if a hacker compromises the device’s browser, the workflow is also compromised. Attackers could potentially manipulate the way a browser communicates with a website or app, creating an opportunity to intercept or even hijack the authentication process. It’s like having a state-of-the-art lock on your office door, only to realize the frame holding the door can be pried open.
Should You Abandon Passkeys? Not So Fast
Like any security tool, passkeys reduce but don’t eliminate risk. They simply make it harder to steal or reuse credentials. Vulnerable browsers pose security risks, and compromised devices can enable hackers to bypass even robust encryption protocols.
You can still keep your business secure, despite passkey security weaknesses.
- Layer your defenses. Use multi-factor authentication (MFA) wherever possible. Even if a cybercriminal exploits the passkey system, MFA adds an extra barrier.
- Keep browsers and devices updated. Installing updates as soon as they become available can quickly patch encryption vulnerabilities.
- Educate your team. Human error remains a hacker’s favorite entry point, so educate employees on how to identify suspicious prompts and potential phishing attacks.
- Use reputable tools. Stick to mainstream browsers and security solutions that respond rapidly to new threats.
Include Passkeys in Your Security Strategy
Passkeys are still a step forward compared to old-school passwords, but the Square X findings show they’re not immune to flaws. Understanding these passkey security weaknesses and proactively addressing the risks of device compromise, credential theft, and encryption vulnerabilities puts your business in a better position to protect itself against threats.
Your best approach is to treat passkeys as part of a broader security strategy, rather than a magic bullet that stops every threat.
