Passkeys have become one of the hottest topics in online authentication, celebrated as a leap beyond passwords but now also scrutinized for hidden risks. A recent report from a startup marketing itself as a security services provider sparked renewed debate by claiming a major flaw that supposedly undermines widely adopted passkey promise. Critics argue that the findings misinterpret how passkeys work and overlook the scope of the threat model they address. The core takeaway for defenders is that end-user devices and their environments matter as much as the cryptographic design itself. This examination unpacks what passkeys are, what the SquareX claim actually demonstrates, where the limitations lie, and how organizations and users should think about adopting passkeys in a layered security strategy.
Understanding the core technology behind passkeys
Passkeys are founded on the principles of public-key cryptography within the FIDO specifications, under the umbrella of WebAuthn as the contemporary implementation standard. In practice, a passkey represents a cryptographic key pair—the public key is registered with a website, while the private key remains securely on the user’s authentication device, such as a smartphone, a security key, or another trusted device. The registration process creates a unique key pair bound to each website the user accesses, and the site retains the public key for future verifications. When the user attempts to log in, the site issues a challenge, a pseudo-random data string, and the authentication device uses the private key to cryptographically sign that challenge. The resulting signature is sent back to the site, which uses the stored public key to confirm the signature’s validity. If the verification succeeds, access is granted, typically faster than traditional password authentication and with far stronger resistance to common password-based attacks.
Despite their elegance in theory, passkeys face practical hurdles that slow universal adoption and can complicate real-world deployment. Interoperability between different platforms—how passkeys behave when moving from one device ecosystem to another—remains imperfect. Because passkeys are relatively new, most services still require a fallback password option to recover access if a passkey becomes unavailable. This design choice is an explicit concession to user convenience and resilience, but it also means that the security benefits are not absolute. If attackers succeed in obtaining or guessing a user’s password, they can trigger login flows that undermine the advantages that passkeys are supposed to deliver. In other words, passkeys raise the bar for credential theft, but they are not a universal shield against all attack vectors.
A further point commonly emphasized by security researchers is that passkeys are designed to resist phishing and credential stuffing because the private key is bound to a specific domain. Even a well-crafted phishing page cannot obtain the private key or make it usable on a different domain. Likewise, passkeys are not meant to be revealed through social engineering or traditional password leakage channels. They are not vulnerability-free, but their threat model is narrower and, in many respects, stronger than passwords for certain classes of attacks.
From a broad security perspective, passkeys represent a shift toward a more “cryptographic” authentication paradigm. They are not a magic solution that eliminates every risk, but they are a meaningful step forward against the most persistent and damaging forms of credential compromise—phishing, password reuse, credential breaches, and credential stuffing. The key challenge remains aligning expectations with reality: the benefits are substantial, but only when the entire ecosystem—the device, the browser, the operating system, and the service backend—operates within a supported threat model that accounts for endpoint compromise and other realistic risks.
What the SquareX claim actually describes
The core of the SquareX presentation centers on a scenario in which a malicious browser extension, installed via social engineering, interferes with the passkey registration process. In this hypothetical or demonstrative scenario, the attacker allegedly binds a keypair created during registration to a legitimate site, enabling access to cloud applications used by an organization. The implication some observers draw is that passkeys can be “stolen” or compromised in a way that eliminates their protective benefit.
A careful reading reveals crucial distinctions. The described technique does not entail theft of an existing passkey from a user’s device. Rather, it describes manipulation during the registration flow, resulting in a new keypair that is controlled by the attacker and tied to the target site. If the user registers a new passkey under the attacker’s influence, the attacker could potentially control that newly created credential. However, the attacker would not have access to passkeys already stored on the user’s device or in the user’s authenticator from prior registrations. The login attempt using an established passkey would still be protected by the legitimate key bound to that site; the attacker’s manipulation would typically block normal login flows or require the user to accept a new key that the attacker controls.
This distinction matters because it frames the risk within a broader security model. A vulnerability that arises during registration and user-learner interactions is different in scope and implication from a vulnerability that allows “stealing” a passkey from a device or a server breach that exposes private keys. In the context of FIDO/WebAuthn, the threat model explicitly excludes attacks that depend solely on a compromised endpoint or an infected browser, as those conditions fall outside the protection guarantees that the protocol is designed to provide. Consequently, the claims that passkeys can be easily stolen due to endpoint compromise require careful parsing against the documented threat model and the defined security assumptions.
From a technical standpoint, the argument put forward by SquareX interacts with several well-established points about passkeys and their limitations. First, if a user already has a passkey registered for a given site, that passkey remains on the authenticator and is not at risk of being exported or stolen by a separate process. A malware-driven hijack during registration can create a different key pair controlled by an attacker, but it does not imply the destruction or exfiltration of the user’s existing credentials. Second, the FIDO/WebAuthn model deliberately assumes that the trusted environment is the endpoint, yet it also acknowledges that the end-user device can be compromised or manipulated, and therefore some protections cannot be guaranteed in all possible conditions. The research underscores specific scenarios that lie outside the standard protection envelope and emphasizes the need to treat client-side risk as an integral element of security discussions about passkeys.
In short, SquareX’s central claim—that passkeys are fundamentally insecure due to end-user device or browser compromises—requires context. It highlights an attack surface that is real in realistic environments but also one that The FIDO/WebAuthn security framework deliberately limits in scope. The ultimate takeaway is not that passkeys are untrustworthy, but that no authentication technology is immune to all endpoint risks, and security strategies must account for the realities of user devices, extensions, and social-engineering capabilities.
The endpoint reality: why endpoint compromise matters
A recurring theme in security discourse is the vulnerability introduced by the very device and software that users rely on daily. Passkeys offer strong protections against common credential theft scenarios, but they exist within a system that includes the user’s device, the browser, and the operating system. If any of these components are compromised, the protections that passkeys provide can be undermined in ways that transcend merely “stealing a private key.”
End-to-end and transport-layer protections, such as TLS and encrypted messaging, assume secure channels, but they cannot render the client device invulnerable. If an attacker can install a malicious extension, inject code into the browser, or compromise the OS, they may influence user interactions, manipulate registration flows, or intercept certain authentication prompts. Even in a world where passkeys themselves are cryptographically robust, the unit of trust remains the user’s device. If that unit is under attacker control, the adversary can subvert the process in ways that are not addressed by the passkey’s cryptographic protections alone.
This reality is not unique to passkeys; it is a challenge for any authentication system that relies on endpoints. The ubiquity of phishing and social engineering means attackers will continually seek ways to manipulate client-side environments. The fundamental defense, then, is layered: strong cryptographic authentication (like passkeys) paired with robust device security, application integrity checks, secure boot processes, trusted execution environments, and user education about social engineering and extension-based risks. The middle ground between ideal theoretical security and practical deployment is where organizations must operate, design, and test their systems.
Another aspect of endpoint risk is the need for safe onboarding and maintenance. If a user’s device gets compromised, procedures for credential revocation, re-enrollment, and key rotation become critical. Organizations should institute monitoring and anomaly detection to identify unusual registration activity or unexpected changes to passkey bindings. They should also maintain clear user-facing remediation steps that do not rely solely on cryptographic guarantees but also on operational controls, such as device attestation, administrator-approved re-enrollment, and multi-channel verification to reestablish legitimate access after a suspected compromise.
In addition, the ecosystem’s maturity matters. As passkeys become more widely adopted, cross-platform interoperability improves, but gaps remain. Some platforms require fallback authentication methods for recovery or access continuity, which, while necessary for resilience, can reintroduce vectors for credential-related abuse if not properly secured. The industry’s collective progress hinges on refining threat models, aligning them across platforms, and delivering consistent security guarantees that translate into practical protection for end users.
Reactions from security practitioners and industry voices
A spectrum of expert perspectives has emerged in response to the SquareX findings. Some observers emphasize skepticism about marketing-driven security narratives that appear to promote a commercial product under the banner of a broad security vulnerability. They argue that if a research disclosure relies on an extreme edge case or a misinterpretation of how protection layers interact, it risks sowing confusion rather than guiding practical improvements. In these views, the value lies in clarifying the limitations of the current model, not in creating a sense of alarm that could drive demand for a specific vendor solution.
Conversely, other voices acknowledge that any credible security claim deserves careful examination and replication. They stress that while no authentication scheme is perfect, the fundamental properties of passkeys—resistance to phishing, reduced reliance on memory-based secrets, and fewer opportunities for credential leakage—remain compelling advantages. These analysts highlight that the FIDO/WebAuthn framework explicitly accommodates a range of threat scenarios, including potential endpoint compromise, and that ongoing research should aim to strengthen the model rather than undermine its core goals.
A common thread across expert commentary is cautious optimism: passkeys significantly improve the security landscape compared with passwords, but their effectiveness depends on correct implementation, sound user education, and robust defense-in-depth strategies. Some critics point out that the research aligns with a broader pattern where some security narratives emphasize vulnerabilities to attract attention or to sell a product. Others stress that legitimate concerns about client-side risks do not negate the enduring principle that the absence of passwords drastically reduces a widely exploited risk vector and improves user experience in authentication.
In practical terms, security teams should measure risk in terms of real-world attacker capabilities, threat modeling, and the likelihood of endpoint compromise within their organization. They should examine their recovery processes, enforce strong device hygiene, and implement monitoring to detect unusual authenticator activity. They should also veteranly document where passkeys provide guarantees and where additional protections are necessary. The objective is to implement passkeys as part of a larger, layered defense that accounts for endpoints, user behavior, and organizational processes.
The historical context and current state of passkeys in the security landscape
The push toward passkeys arises from a long history of password-centered vulnerability, including credential phishing, password reuse, credential stuffing, and large-scale breaches. Passkeys aim to eliminate or drastically reduce these risks by eliminating shared secret passwords and by binding credentials to a specific user device and domain. The underlying philosophy aligns with a broader shift toward “passwordless” authentication, leveraging public-key cryptography and trusted device-based authorization to minimize user-centric attack surfaces.
However, the transition is not instantaneous. Major tech ecosystems have begun implementing passkeys, but broad cross-platform uniformity remains a challenge. Some service providers still rely on fallback passwords for various recovery scenarios, which introduces a potential weak link in a system otherwise designed to be stronger than password-only approaches. The lifecycle of passkeys—enrollment, synchronization across devices, re-enrollment after device loss, and revocation after device compromise—requires careful operational processes and policy governance.
From a strategic perspective, organizations should evaluate their identity and access management (IAM) posture in light of passkeys. They should map out which applications and services support passkeys today, identify critical systems where recovery options are essential, and establish clear guidelines for incidents involving compromised devices or suspected credential misuse. Training and awareness programs for users remain essential, not only to promote secure enrollment practices but also to help users recognize social-engineering attempts that could influence registration workflows.
In addition, the security research community continues to test the boundaries of passkey security. While early demonstrations may reveal edge cases, the broader body of evidence tends to support passkeys as a robust defense in depth when properly deployed. The ongoing work emphasizes the need for standardized threat models, better guidance for practitioners, and more transparent disclosures that help organizations assess risk without conflating a specific research scenario with the overall security profile of passkeys.
Practical guidance for organizations and users
For organizations, adopting passkeys should be part of a holistic security program rather than a standalone feature patch. Practical steps include:
- Conduct comprehensive threat modeling that explicitly includes endpoint compromise, browser extensions, and social engineering as part of realistic risk scenarios.
- Ensure device hygiene and endpoint security controls are strong, including up-to-date operating systems, trusted application stores, and restricted extension policies to minimize the chance of malicious software affecting authentication flows.
- Implement a robust recovery and enrollment process that minimizes user friction while maintaining strong identity verification during passkey re-enrollment after device loss or compromise.
- Maintain clear incident response playbooks that specify how to respond when registration or authentication anomalies arise, including verification steps and revocation procedures.
- Promote user education on recognizing social engineering attempts, suspicious extensions, and the importance of protecting their authentication devices.
For users, the emphasis remains on careful device management and prudent behavior online:
- Keep devices secure, use trusted app stores, and apply security updates promptly.
- Be cautious about installing browser extensions, especially from unknown or unverified sources, and regularly audit installed extensions.
- Treat passkeys as part of a broader security strategy: even with passkeys, maintain vigilance against phishing, social engineering, and device compromise.
- Know the recovery options for services you use and ensure you have legitimate, secure pathways to regain access if a passkey becomes unavailable.
From an architectural standpoint, developers and service providers should ensure their implementations align with the current FIDO/WebAuthn specifications and reflect the latest best practices. They should be transparent about any limitations, clearly communicate when a passkey-based login is possible, and avoid implying absolute security in ways that could mislead users or administrators. The goal is to deliver reliable, user-friendly authentication with clear guidance on how to handle endpoint risk and recovery scenarios.
Looking ahead: what progress and what cautions lie ahead
The evolution of passkeys is an ongoing journey rather than a finished project. As researchers continue to explore the boundaries of the technology, new discoveries will likely surface—some refining the threat model, others highlighting design decisions that warrant updates. The most constructive path forward is to view these findings as opportunities to strengthen the ecosystem: update threat models, improve interoperability, and refine deployment practices to reduce dependence on any single component of the authentication stack.
There is broad consensus that passkeys, when deployed as part of a layered security strategy, represent a significant improvement over passwords alone. They resist many of the most damaging forms of credential theft and are inherently resistant to phishing. The remaining challenges—endpoint integrity, user education, cross-platform consistency, and recovery workflows—are not showstoppers but areas that demand continued attention and investment. The security community’s ongoing dialogue, empirical testing, and transparent reporting will help bolster confidence in passkeys and accelerate their adoption where appropriate.
Organizations should avoid sensational headlines and focus on practical risk management. They should calibrate their security controls so they are robust enough to handle realistic endpoint compromises, while also preserving the user experience and accessibility that passkeys are designed to improve. The balance between security strength and usability will define the pace and success of the passwordless movement in the years ahead.
Conclusion
Passkeys signify a meaningful shift in how we think about authenticating users, reducing dependence on shared secrets and lowering the risk of common credential-based attacks. The SquareX claim highlights a real concern: any authentication system can encounter edge cases or misapplications during deployment, especially when client-side software and endpoints are involved. However, this should not be read as a wholesale indictment of passkeys or the FIDO/WebAuthn framework. Instead, it underscores the necessity of a comprehensive, defense-in-depth approach that accounts for endpoint security, user behavior, and robust recovery mechanisms.
Organizations and users should recognize both the strengths and the limitations of passkeys. When implemented thoughtfully, passkeys can dramatically raise the bar for attackers and simplify the login experience for legitimate users. The path forward lies in reinforcing endpoint integrity, improving interoperability across platforms, and maintaining clear, transparent guidance about what passkeys can and cannot protect. By coupling cryptographic protection with strong device security, proactive risk management, and informed user practices, the broader goal of more secure, user-friendly authentication remains within reach.
