Passkeys Promise a Password-Free Future but Are Becoming Walled Gardens

Passkeys were heralded as the key to a password-free future, offering a seamless and secure login experience. However, as Big Tech companies embrace this technology, there are growing concerns about how these passkeys are reinforcing the dominance of their ecosystems.

One of the pioneers of this technology, William Brown, a software engineer at SUSE Labs, has raised alarms about the direction in which passkeys are heading. Brown, who spearheaded the development of webauthn-rs — an open-source Rust library for implementing the WebAuthn standard — warns that the original vision of an open and accessible technology is being compromised.

Webauthn-rs was among the first libraries to enable the kind of authentication that passkeys represent. It has been integrated into projects like authenticator-rs, which is used in Firefox. Despite these advancements, Brown is disappointed with how the passkey ecosystem has evolved.

Over 150 platforms now support passkeys, including major names like WhatsApp, X (Twitter), TikTok, PlayStation, PayPal, Microsoft, Google, Apple, and Amazon. Passkeys utilize public key cryptography to create unique codes for each platform, stored and managed automatically on devices such as smartphones and PCs, allowing users to log in using facial recognition, fingerprints, or a PIN.

However, Brown highlights that tech giants are prioritizing their interests over providing a transparent user experience. He points to Chrome, a dominant browser controlled by Google, which dictates what can be integrated into its ecosystem. The implementation of passkeys is inconsistent, and there’s another significant issue: physical security keys like YubiKeys or Google’s Titan have limited storage capacities, often capping at 25 keys, while users typically access far more platforms.

To circumvent these limitations, companies like Google and Apple have turned mobile devices into security keys, further locking users into their ecosystems. These secure credentials cannot be extracted or exported, leading to uneven and often ineffective user experiences. A report from Wired, which attempted to use passkeys exclusively, described the experience as “a total mess,” a sentiment echoed in various Reddit threads.

While the concept of passkeys is promising, the execution leaves much to be desired. Brown advises using a password manager like Bitwarden, which is open source and offers a free version, as a viable alternative to the closed ecosystems of Apple or Google. He suggests, “If you really want to use passkeys, store them in a password manager that you control. Avoid key stores controlled by platforms, and be cautious with security keys.”

For those opting for physical security keys, Brown recommends using them specifically to unlock your password manager and email account, which are gateways to accessing other platforms securely.