Passwords have long been the weak link when it comes to online protection. In response, many businesses have turned to passkeys as a more secure alternative. Passkeys aim to reduce the risk of stolen credentials, offering strong encryption and more convenience for users.

But at a recent DEF CON conference, researchers from Square X uncovered potential issues that could make even passkeys vulnerable under certain conditions. These discoveries highlight the importance of thoughtful implementation and staying alert to new security challenges.

How Passkeys Are Designed to Work

Passkeys operate using two cryptographic keys: one public and one private. The public key is stored by the website or application, while the private key stays secured on the user’s device.

Instead of typing in a password, users confirm their identity through methods like a fingerprint scan, facial recognition, or a device PIN. The two keys verify the login through a secure process that keeps the user’s private information out of reach from attackers.

Because the private key never leaves the device, this method protects against many types of traditional threats, including phishing schemes and stolen credentials.

Where the Vulnerabilities Come In

Passkeys offer strong protection in theory, but no system is without its limits. If someone compromises a device or browser, they may gain a way into the passkey workflow.

The issue isn’t with the encryption itself but with the channel that supports it. When a browser or device is compromised, attackers can potentially interfere with how credentials are used during login. This opens the door to unauthorized access, even if the device holds a valid passkey.

It’s similar to adding a strong lock to your front door, while overlooking a loose window frame just beside it.

Keeping Passkeys in Perspective

Even with known weaknesses, passkeys still represent an improvement over traditional passwords. They make it harder for attackers to collect and reuse login details, but they are not foolproof.

Rather than abandoning passkeys altogether, the goal should be to strengthen your overall security strategy by adding other defenses and keeping systems up to date.

Ways to Strengthen Your Security

There are practical steps your business can take to reduce risk and improve security, even when using tools that aren’t perfect.

Enable multi-factor authentication whenever possible. This adds another layer of verification, making it more difficult for intruders to access systems even if a device is compromised.

Regularly update your browsers and devices. Many threats take advantage of outdated software. Updates often include patches that fix known security issues, so make sure your network stays current.

Help your employees spot warning signs. Training staff to recognize suspicious login prompts or strange behavior on their devices can stop attacks early. Encouraging a culture of awareness is key.

Rely on tools with proven track records. Choosing widely supported platforms with active security teams gives your business quicker access to fixes and guidance when new threats arise.

Making Passkeys Part of a Broader Plan

Passkeys are a valuable addition to your business’s digital security, but they shouldn’t be your only line of defense. Recent research shows that even advanced authentication systems can have gaps, especially when the devices running them are vulnerable.

Consider passkeys as one helpful piece of a larger strategy. Combine them with trusted software, employee training, regular updates, and layered protections to keep your systems safer.

Keeping your business secure means staying prepared, staying informed, and accepting that no single solution does it all. The goal is not perfection, but a stronger overall foundation that gives your team the upper hand against digital threats.