On Passkey Usability – Schneier on Security

Matt •

February 12, 2024 12:39 PM

Nice article, but no mention of account recovery in case you lose your passkey. What I’ve seen typically is the same “recovery codes” approach since MFA started being a thing. Those are effectively a bunch of single-use passwords, and managing the recovery codes for a bunch of websites isn’t much different of a problem (either for websites or for users!) as managing passwords.

What this in effect means is that while passkeys get rid of a lot of the hassle of day-to-day password use, the entire password infrastructure still exists on both sides: websites still have to store them, and so do users. There’s one advantage over the traditional password ecosystem: recovery codes are always long and randomly-generated (and so effectively cannot be weak or reused across sites). But they have a disadvantage, too, which is that because they are used so rarely, when you do need them, it may be even harder to find them—but you still need to maintain all of them for all the services you have accounts with because they’re the only way to get back in if you lose your passkeys.

I don’t know if anyone has worked on or devised a better system for account recovery that doesn’t require keeping big lists of recovery codes, or going through more rigorous authentication (e.g. calling your bank and giving them lots of personal info to prove that you’re you, so that you can reset your passkeys). But whenever I see articles about passkeys, they rarely seem to address this.