Passkeys: A Double-Edged Sword for Security
Passkeys are widely promoted as a safer alternative to traditional passwords, protecting users from phishing attacks and data breaches. However, a groundbreaking study presented at the 2025 USENIX Security Symposium has revealed that these login methods may also create hidden dangers in abusive relationships and other contexts of interpersonal abuse. Researchers found that the very features that make passkeys convenient and secure could be manipulated to monitor, control, or lock out victims.
The First Framework to Assess Passkey Abuse
The study, led by researchers from Cornell Tech, New York University, and the University of Wisconsin, introduced a six-stage “abusability analysis” framework. This framework evaluates how digital authentication tools like passkeys might be misused by abusers with physical or remote access to a victim’s device. By testing 19 major platforms—including Google, Amazon, PayPal, and TikTok—the team uncovered seven different abuse vectors that could put vulnerable users at risk.
How Passkeys Could Be Exploited
Researchers discovered alarming scenarios where attackers could silently hijack or restrict access to accounts. Some of the tactics included:
- Adding an abuser’s fingerprint or face ID to a shared device.
- Exporting passkeys via AirDrop or cloud sync to secretly monitor account activity.
- Revoking a victim’s passkeys remotely, locking them out of essential services.
- Spoofing device names or login locations to confuse victims and hide intrusions.
In one chilling example, an attacker briefly accessed a victim’s unlocked phone, exported a passkey, and used it to monitor the victim’s accounts over time without detection. Shockingly, many platforms did not notify users when such changes occurred, leaving victims unaware of the breach.
Gaps in Current Security Protections
The study also revealed inconsistencies in how platforms manage passkeys. Some lacked essential features like revocation tools, while others provided no visibility into compromised accounts. In abusive situations, these gaps mean victims may have no way to detect, undo, or report unauthorized activity.
Recommendations for Safer Digital Authentication
To mitigate these risks, researchers urged tech companies to:
- Improve interfaces for managing passkeys.
- Provide clear notifications when credentials are added, removed, or exported.
- Enforce tighter restrictions on passkey sharing.
- Adopt the abusability analysis framework in product development to catch risks early.
Conclusion: Balancing Security and Human Realities
While passkeys are a powerful defense against phishing and hacking, this study highlights the urgent need to consider the social dimensions of security tools. In abusive contexts, convenience features can become weapons of control. By incorporating safeguards for at-risk users, tech companies have the opportunity to create more inclusive, human-centered security systems that protect not just data, but people.
