Article illustration 1

The encrypted reality of stolen passkeys

When your smartphone vanishes with passkeys onboard, the immediate fear is palpable: could thieves drain your bank or raid your email? Unlike physical keys, passkeys aren't readily extractable secrets. As David Berlind reports for ZDNET, these credentials are either hardened within device security modules (TPM/secure enclave) or encrypted inside credential manager vaults—inaccessible without biometrics or PINs. Yet recent Spiceworks community discussions highlight legitimate concerns about edge cases in our passwordless transition.

Defense in depth: How protection works

  • Hardware barriers: Device-specific passkeys bind to security chips requiring live authentication. Android's Private Space and iOS app lockdowns add compartmentalization.
  • Credential manager safeguards: Synced passkeys in tools like 1Password or Bitwarden demand re-authentication before revealing secrets, creating dual gates.
  • Remote kill switches: Services like Find My Device enable remote wiping—especially potent when paired with auto-wipe triggers after repeated failed unlocks.

As Microsoft Identity Standards designer James Hwang explains, "It's dependent on the security protecting passkeys on that device. The thief would need to defeat multiple authentication layers."

When defenses might falter

Despite robust encryption, vulnerabilities emerge in specific scenarios:

  1. Pre-authenticated devices: A snatched phone already unlocked grants temporary access. Solution architects recommend password-protecting authenticator apps and sensitive financial applications separately.
  2. Legal coercion: Courts increasingly compel biometric unlocks during investigations. Some experts suggest prioritizing complex PINs over fingerprints for high-risk accounts.
  3. Credential manager weaknesses: Not all password managers offer granular session revocation. Dashlane and 1Password allow device-wide deauthentication, while others lack surgical control.

The revocation dilemma

Should you mass-delete passkeys post-theft? Hwang argues it's impractical: "Resetting hundreds of credentials would be crazy." Instead, strategic preparation is key:

1. **Namespace your keys:** Label passkeys clearly (e.g., "iPhone 15 Pro passkey") in services like Microsoft Live
2. **Track enrollment:** Note creation dates and browsers used for non-renamable passkeys (e.g., Shopify)
3. **Targeted removal:** Unenroll device-specific keys from critical accounts post-theft

Ecosystem gaps demand caution

A critical flaw persists: no API links credential manager deletions to relying party unenrollment. If you remove a passkey from 1Password, it remains active on the service provider's server until manually revoked—a tedious process the FIDO Alliance acknowledges must be addressed. As Berlind observes, this disconnection forces users into manual cleanup marathons for marginal security gains.

Beyond the breach

While encryption and authentication create formidable barriers, true security requires proactive habits: configuring auto-lock timers, enabling remote wipe, and structuring passkeys for surgical revocation. As credential managers evolve toward cross-device session control, users must navigate today's fragmented landscape with disciplined credential hygiene—because in the passwordless future, your greatest vulnerability might literally be in your pocket.

Source: Adapted from David Berlind's reporting for ZDNET