The Hidden Dangers of Passkeys in Data Encryption
As we navigate the complex world of digital security, it’s essential to understand the risks associated with using passkeys for encrypting user data. Over the past year, many organizations have implemented passkeys and used the Pseudo-Random Function (PRF) extension to derive keys for protecting user data.
However, this approach can have severe consequences. When a credential used for authentication is also used for encryption, the potential damage from losing that credential becomes significantly larger. For instance, a user named Erika sets up encrypted backups in her messaging app using her passkey. If she later deletes the passkey, she may lose access to her backed-up data, including precious memories.
The Problem with Passkeys and PRF
The primary issue with using passkeys for encryption is that it overloads the credential, making it more vulnerable to loss or compromise. This can lead to a significant increase in the ‘blast radius’ for losing that credential. Moreover, users are often not aware of the implications of deleting a passkey, which can result in irretrievable loss of encrypted data.
Meanwhile, there are legitimate uses of PRF in WebAuthn, such as supporting credential managers and operating systems. A passkey with PRF can make unlocking a credential manager much faster and more secure. Nevertheless, it’s crucial to prioritize warnings for users when they delete a passkey with PRF and display the Relying Party’s info page when available.
Consequences of Using Passkeys for Encryption
The consequences of using passkeys for encryption can be severe. Users may lose access to their encrypted data, including sensitive information like photos, documents, and crypto wallets. Additionally, the use of passkeys for encryption can lead to a false sense of security, as users may believe their data is protected when, in reality, it’s vulnerable to loss or compromise.
Furthermore, the use of passkeys for encryption can also lead to a lack of transparency and accountability. Users may not be aware of the risks associated with using passkeys for encryption, and organizations may not provide adequate warnings or support for users who lose access to their encrypted data.
Best Practices for Using Passkeys
To mitigate the risks associated with using passkeys for encryption, it’s essential to follow best practices. These include:
- Using passkeys solely for authentication purposes
- Providing clear warnings and information to users about the risks of using passkeys for encryption
- Implementing robust mechanisms for protecting user data, such as master passwords, per-device keys, recovery keys, and social recovery keys
- Prioritizing transparency and accountability in the use of passkeys for encryption
Additionally, organizations should consider alternative methods for encrypting user data, such as using separate encryption keys or implementing end-to-end encryption protocols. By taking a more nuanced approach to passkey usage, we can better protect user data and prevent unnecessary losses.
A Call to Action
To the wider identity industry, I urge you to stop promoting and using passkeys to encrypt user data. Instead, let’s focus on using passkeys as great, phishing-resistant authentication credentials. To credential managers, please prioritize adding warnings for users when they delete a passkey with PRF and display the Relying Party’s info page when available.
Finally, to sites and services using passkeys, please provide clear information and warnings to users about the risks associated with using passkeys for encryption. By working together, we can create a more secure and user-centric digital identity ecosystem.
Conclusion
In conclusion, using passkeys for encrypting user data can have severe consequences, including the loss of sensitive information and a false sense of security. By following best practices and prioritizing transparency and accountability, we can mitigate these risks and create a more secure digital identity ecosystem.
Therefore, it’s essential to use passkeys solely for authentication purposes and to provide clear warnings and information to users about the risks associated with using passkeys for encryption. By taking a more nuanced approach to passkey usage, we can better protect user data and prevent unnecessary losses.
FAQs
Here are some frequently asked questions about using passkeys for encrypting user data:
- What are the risks of using passkeys for encrypting user data? The risks include the loss of sensitive information and a false sense of security.
- How can I protect my user data when using passkeys? You can protect your user data by using passkeys solely for authentication purposes and by providing clear warnings and information to users about the risks associated with using passkeys for encryption.
- What are the best practices for using passkeys? The best practices include using passkeys solely for authentication purposes, providing clear warnings and information to users, and implementing robust mechanisms for protecting user data.
- Can I use passkeys for encryption? While it’s technically possible to use passkeys for encryption, it’s not recommended due to the risks associated with overloading the credential.
- How can I recover my encrypted data if I lose my passkey? If you lose your passkey, you may not be able to recover your encrypted data. Therefore, it’s essential to use passkeys solely for authentication purposes and to implement robust mechanisms for protecting user data.








