Passkeys: Better Lock, Borrowed Door
Passkeys fix the weakest part of authentication. But they hand your credentials to Apple, Google, or Microsoft and the session cookie problem remains untouched.
I wrote about passkeys in early 2024 with some optimism. The technology is elegant. The problem it solves is real. I still think both those things. But I left something out.
What passkeys actually fix
The password is a structural failure. It is a secret you have to remember, type, transmit, and trust a server to store correctly. Any one of those steps can go wrong, and the weakest one determines your security. Phishing works because passwords travel. Data breaches work because servers collect them. Credential stuffing works because people reuse them.
A passkey replaces all of that with a cryptographic key pair. Your device holds the private key. The service holds the public key. When you authenticate, your device signs a challenge; the server verifies the signature. Nothing is transmitted that could be intercepted or stolen. I wrote about making that transition in early 2024, and the improvement was real. It is not marketing.
Back in 2022, when passkeys were still theoretical, I noted the convenience problem: helping a six- or eighty-year-old through a QR-code flow would be a challenge. What I did not see then was the deeper problem that convenience would bring with it.
The key card stays the same
Here is what does not change. Once you are through the lobby, the server hands you a session cookie: a small text file that carries your authenticated state from that point on. The elaborate verification at the front door collapses into a string of characters sitting in your browser. Copy that cookie and you are in, from anywhere, as anyone. The key card problem is untouched by how you checked in.
Passkeys make the lobby better. They do not change what happens after it.
The dependency
There is a more fundamental issue. Passkeys do not live in your head, and they do not live on a neutral device. They live in a keychain: Apple's, Google's, or Microsoft's. That is where they are stored, and that is where they sync.
The sync is not optional. Use more than one device and you need it. Switch from iPhone to Android and your passkeys stay behind. Add a Windows machine to an Apple setup and you are managing two separate ecosystems, each with its own rules. The line between digital convenience and infrastructural dependency is vanishingly thin -- and you have crossed it the moment you need your credentials on a second device.
This is a structural dependency, not a technical inconvenience. The platform controls your credentials. If you leave, you lose them. If you are locked out, you lose them. If the platform changes its policies, you are subject to those changes. I experienced a version of this when X locked me out last year: the burden of proof shifts to you, the process is opaque, and there is no neutral party to appeal to. With passkeys, the stakes are higher. It is not one platform. It is your authentication infrastructure.
A different kind of lock-in
With passwords, the risk was theft. With passkeys, the risk is captivity. These are not equivalent problems, and the second one is quieter.
Most users will not notice. The experience is genuinely better: a biometric check, no password to forget, no phishing surface. The dependency is invisible until it is not. That is how the best lock-ins work.
Europe is working on a different answer, one built on the premise that digital identity should not be owned by a platform. That is a longer conversation. But it starts from exactly the right diagnosis: the front door matters, and so does who holds the key.