Passkeys are the future of online security, right? Wrong, according to Google and Microsoft. These tech giants are warning that passkeys alone are not enough to protect your accounts from hackers. The issue lies in the recovery methods still attached to accounts, which can become a new attack surface even after passkeys are deployed.
Passkeys are supposed to replace passwords and stop phishing attacks. But as Microsoft says, "Each account is only as secure as its weakest credential." Passkeys are an improvement, but they don't eliminate the risk of phishing and other attacks. In fact, attackers are now targeting recovery flows and fallback credentials instead of passkeys.
Google and Microsoft are urging users to use two-step verification (2SV) in addition to passkeys. This includes Google Prompts and Authenticator apps, which provide an additional layer of security. SMS one-time codes should be avoided, as they are weaker and more susceptible to phishing.
The key takeaway is that passkeys are not a silver bullet. They must be complemented with strong recovery methods and user awareness. As Microsoft warns, "Eliminate phishable credentials entirely" to ensure your accounts remain secure. This is especially important as attackers shift their focus to recovery flows and fallback authentication methods.
In my opinion, the widespread adoption of passkeys is a step in the right direction, but it's not enough. We need to educate users about the importance of strong recovery methods and the risks associated with SMS codes. Only then can we truly move towards a safer online environment.
