Study Uncovers Risks Of Passkeys In Abuse Scenarios
A recent study has highlighted potential dangers associated with passkeys, a login method often touted as more secure than traditional passwords. While passkeys provide strong defenses against phishing, they may inadvertently expose users to risks in situations like intimate partner violence or human trafficking.
Presented at the 2025 USENIX Security Symposium in Seattle, the study is a collaborative effort led by Ph.D. candidates Alaa Daffalla and Arkaprabha Bhattacharya, alongside professors Thomas Ristenpart and Nicola Dell from Cornell Tech, with contributions from researchers at NYU and the University of Wisconsin, Madison.
The research introduces a six-stage “abusability analysis” framework designed to scrutinize how digital authentication tools might be misused. This framework aims to assist researchers and product teams in identifying potential threats within features meant for security.
The team applied their framework to 19 popular platforms that support passkeys, such as Google, Amazon, PayPal, and TikTok. They discovered seven unique ways passkeys could be exploited. These “abuse vectors” include simple methods like adding an attacker’s fingerprint to a device, to more complex actions such as cloning passkeys via AirDrop.
One alarming scenario depicted an attacker using an exported passkey from an unlocked phone to monitor a victim's activity covertly. Another involved an attacker locking a victim out of their account by revoking passkeys remotely. The study pointed out that many services do not notify users of such changes, leaving them vulnerable.
Findings indicate severe inconsistencies in how passkeys are managed across different services. Some platforms fail to offer essential features like passkey revocation or session management. This inconsistency leaves users blind to unauthorized access to their accounts.
To mitigate these risks, the researchers have proposed practical solutions including improving user interfaces for passkey management, issuing clear notifications for credential changes, and enforcing stricter control over passkey sharing. They urge technology companies to adopt their abusability analysis framework to preemptively identify risks during product development.
This study underscores the need for security tools to consider social abuse dynamics, aiming to create safer digital environments for users at risk. Supported by the Baldwin Wisconsin Idea Grant, the National Science Foundation, and the Google Cyber NYC Program, this research provides a roadmap for more inclusive digital authentication.