Passkeys are designed to replace passwords and combat phishing attacks, but Google and Microsoft caution that they are insufficient if weaker recovery methods remain in use. “Each account is only as secure as its weakest credential,” Microsoft stated, noting that passwords and SMS recovery can create new vulnerabilities even after passkeys are deployed.
Google acknowledged that “passkeys are an easier and safer way to access online accounts compared to passwords and even traditional multi-factor methods,” but stressed that they are not entirely safe on their own. The company warned users that “even when you normally use a passkey, it’s important to secure your account with two-step verification (2SV).” This added layer of security is essential, particularly if someone attempts to impersonate the user and claims to have lost their passkey.
Automated recovery processes that exploit weaker credentials can bypass a passkey, making it essential to secure accounts further. Microsoft flagged account recovery as a new attack surface as passkey adoption increases and traditional attack methods decline. “Deploying passkeys improves sign-in,” Microsoft noted, “but most accounts still have a password or SMS method attached ‘just in case’ — and as long as those credentials exist, they’re an attack surface.”
The recommended recovery method involves using the account’s passkey on a different device to complete any recovery steps. Microsoft also suggested high-assurance recovery methods that require government-issued ID and biometric verification, such as a face scan, saying, “As NIST recommends, high-assurance recovery requires government-issued ID and biometric verification.”
This guidance primarily targets enterprise users for Microsoft and home users for Google. Despite the different audience, both companies recognize the threats that persist. Google highlighted that high-value accounts like Gmail are under constant attack, urging users to implement 2SV to enhance security. Users should also select effective forms of 2SV, such as Google Prompts and an Authenticator app, while abandoning SMS one-time codes, which are regarded as weaker methods.
As passkey adoption accelerates, Microsoft reiterated that the protections will only work if users eliminate all phishable credentials. Google’s warning about the limitations of passkeys is particularly relevant as attackers begin focusing on recovery flows and fallback authentication methods. The ongoing evolution of threats necessitates a comprehensive security strategy that includes robust recovery methods beyond just implementing passkeys.
