The transition to passkeys, while promising enhanced passwordless security and convenience, introduces several challenges that can lead to user confusion. Here are some key points to consider:

​

1. Random Security Request:  Most services prompt people to set up a passkey without explaining why; people don’t know that they are replacing password authentication with passwordless passkey authentication.​

2. Initial Authentication Requirement: The account must be authenticated before a user can set up a passkey. This step, while necessary for security, can be a hurdle for users unfamiliar with the process. It adds an extra layer of complexity, especially for those who are not tech-savvy.​

3. Coexistence of Passwords and Passkeys: Many services maintain both password and passkey authentication methods. This dual system can be confusing for users who may not understand when to use each method. The presence of two authentication options can lead to uncertainty and mistakes, potentially compromising security.​

4. Passkeys and Multi-Factor Authentication (MFA): Some websites replace passwords with passkeys but still require MFA verification. This can be perplexing for users who might expect passkeys to simplify the login process. Instead, they find themselves navigating additional verification steps, which can be frustrating and counterintuitive.​

5. Device Proximity Requirement: Passkeys must either be stored on the device or within Bluetooth range (approximately 30 feet) of the devices being used to log in. This requirement can be inconvenient, especially for users who frequently switch between devices or do not always have their primary device nearby. It can lead to situations where users are unable to log in simply because their passkey is out of range.​

6. Storage Confusion: Where should a user store their passkeys, iCloud, Google Password Manager, third-party password managers such as 1Password, Bit Warden, etc., or should it be stored on a physical secure key such as Yubikey or Titan?   Should passkeys be stored on only one specific device, a Cloud service, secure keys or multiple places?  This confusion and uncertainty can lead to inconsistent practices, increasing the risk of losing account access or compromising security.​​

7. Platform vs. Sync Passkeys: There is often confusion about the use and limitations of platform-specific passkeys versus synchronized passkeys. Platform passkeys are tied to a specific device, while sync passkeys can be used across multiple devices. Users may not fully understand these differences, leading to potential issues with access and security.

​

In conclusion, while passkeys offer a promising alternative to traditional passwords, their implementation and use come with challenges that need to be addressed. Clear guidance, user education, and streamlined processes are essential to mitigate confusion and ensure a smooth transition to this new authentication method.

​

Find out More about our Cybersecurity Consulting Services

​

Further Reading: Modern Workplace Authentication - Introduction to passkeys