Passkeys mark a breakthrough in online security by offering passwordless authentication, using cryptographic keys securely stored on a user’s device, says Craig Lurey, CTO and co-founder, Keeper Security.
A recent study shows 80 per cent of organisations are adopting or planning to adopt passkeys to reduce the risks of phishing and credential stuffing associated with traditional passwords. However, while passkeys enhance security, they also introduce a new risk: vendor lock-in. This term refers to becoming overly reliant on a single platform or service, making it difficult to transition to another provider without incurring costs or losing access to critical services.
Passkey creation and storage
Passkeys use asymmetric cryptography, where the private key remains on the user’s device and the public key is shared with the service provider. While this method improves security, it introduces challenges in key management. Many passkey solutions are tied to specific platforms or ecosystems. For instance, Apple’s passkey implementation is deeply linked with iCloud Keychain, locking users into Apple’s platform. Without easy export mechanisms, users may face difficulties migrating passkeys to different platforms, raising concerns about data portability and vendor lock-in.
Efforts by the FIDO Alliance, the industry group behind the FIDO2 and WebAuthn protocols aim to standardise passkeys for broader use. However, inconsistencies in implementation across platforms prevent seamless migration, reinforcing vendor dependency. Recognizing this challenge, the FIDO Alliance has been working on a Credential Exchange Protocol, designed to create a universal format for importing and exporting credentials, including passkeys. Companies such as Apple and Google are participating in this initiative, which could significantly reduce vendor lock-in issues.
Browser Password Managers
Passkeys are increasingly being managed through browser-based password managers such as those in Chrome, Safari and Edge. While convenient, this integration can lock users into specific browsers or ecosystems. For instance, passkeys saved in Google Chrome’s password manager are tied to a Google account, and moving to another browser or third-party password manager may not support easy credential transfers.
Similarly, vendor-specific password managers like Apple’s iCloud Keychain often limit export options and are optimised for their own ecosystems. This lack of flexibility can create significant hurdles for users seeking to use other platforms or migrate to alternative solutions, particularly when migration tools are either unavailable or inadequate.
Additional issues with passkeys
Beyond browser and password manager lock-in, other challenges related to passkeys include limited backup options. Device-specific features like Apple’s Secure Enclave or Windows’ Trusted Platform Module (TPM) add security but tether passkeys to individual devices. This dependency makes it difficult to recover credentials in case of device failure or migration. Regional restrictions and compliance measures can further complicate passkey usability across borders, reinforcing users’ reliance on a single vendor.
Mitigating Vendor Lock-In Issues with Passkeys
To mitigate these risks, several actions are necessary:
Standardisation: Continued support for standards like FIDO2 and the Credential Exchange Protocol is essential to ensure compatibility and reduce fragmentation across platforms.
Portable Passkeys: Vendor-agnostic passkey formats would empower users to migrate easily between platforms without lock-in.
Third-Party Integration: Allowing third-party password managers to access passkeys would help break ecosystem dependency.
Robust Export Tools: Vendors should offer secure export options to ensure long-term control over credentials.
Consumer Education: Educating users on the risks of vendor-specific passkeys will help them make informed choices about authentication solutions.
Regulatory Oversight: Governments and regulatory bodies should enforce standards for data portability to prevent monopolistic practices.
While passkeys are a transformative leap in digital authentication, addressing vendor lock-in is crucial to empowering users and ensuring security. Leveraging a password manager ensures users can use this transformative security technology without the constraints of a specific platform. By focusing on standardisation, portability and user control, the passkey ecosystem can offer a secure, flexible future.
