Passkeys are designed to replace passwords and combat phishing attacks, but both Google and Microsoft caution that they are insufficient if weaker recovery methods persist. Microsoft stated, “Each account is only as secure as its weakest credential,” indicating that passwords and SMS recovery options could still provide new attack surfaces even after implementing passkeys.

Google acknowledges that passkeys facilitate easier and safer online access compared to passwords and other traditional multi-factor authentication methods. However, the company warns that users must also secure their accounts with two-step verification (2SV) to protect against impersonation attempts that might exploit lost passkeys.

Vulnerabilities in automated recovery processes can allow attackers to utilize weaker credentials to bypass passkeys entirely. According to Microsoft, while deploying passkeys enhances sign-in security, many accounts continue to have password or SMS recovery options linked to them, thus maintaining potential attack surfaces. “Deploying passkeys improves sign-in,” Microsoft said, emphasizing the risks presented by weak recovery methods.

You Might Also Like
Twitter Vs Threads
Twitter Vs Threads: How is Threads different than Twitter?
Tesla Model 3 has managed to enter the top 20 best-selling cars list in Europe last year
Tesla Model 3 has managed to enter the top 20 best-selling cars list in Europe last year
Adobe released Photoshop Elements 2021 and Premiere Elements 2021
Adobe released Photoshop Elements 2021 and Premiere Elements 2021

The optimal recovery solution involves using the account passkey on a different device. Microsoft also noted that a superior recovery method includes presenting government-issued ID and biometric verification, aligning with NIST recommendations for high-assurance recovery.

Microsoft targets its guidance primarily at enterprise users, whereas Google focuses on home users. Despite this distinction, both acknowledge that services like Gmail remain attractive targets for cybercriminals. Google urges users to implement 2SV for added protection against unauthorized access, particularly given the risk of attackers misusing the account recovery process.

Google emphasizes the necessity of using two specific types of 2SV: Google Prompts and an Authenticator app on mobile devices. Both Google and Microsoft advise against relying on SMS one-time codes, categorizing them as weak forms of multi-factor authentication that should be entirely disabled in favor of more secure alternatives.

Though the adoption of passkeys is increasing, Microsoft warns their effectiveness is contingent upon users completely eliminating phishable credentials. Google stresses that while passkeys are a crucial development, they are not a foolproof solution, particularly as attackers increasingly target recovery flows and fallback authentication methods.