OneSpan: Pros and Cons of Passkeys: Why Stronger Authentication Starts Here

Transformational technologies are always closely examined—and rightly so. Any innovation that changes the status quo deserves thoughtful scrutiny, including a clear understanding of both benefits and potential drawbacks. The real risk, however, appears when attention becomes disproportionate: when edge cases receive more focus than the overwhelming gains.

That is exactly the situation today with passkeys.

Passkeys—also known as passwordless FIDO credentials—represent a fundamental shift in how users authenticate online. They are phishing-resistant, easy to use, and based on open, future-proof standards supported across the technology ecosystem. While still new to many users, passkeys are following a familiar adoption curve—similar to how Touch ID and Face ID quickly became the default for secure mobile access once introduced.

Why Passkeys Are More Secure Than Passwords

At their core, passkeys deliver stronger security with less friction:

• No secrets to steal - Passkeys cannot be phished because there is no shared secret like a password.
• Resistant to fake websites and MITM attacks - Adversary-in-the-middle attacks fail because attackers do not possess the private cryptographic key required to authenticate.
• Attacks do not scale - To compromise a passkey, an attacker would need physical access to the user’s device and their biometric or local verification method.
• Simpler user experience - Users authenticate with a fingerprint, face scan, or device unlock—no passwords to remember. All cryptographic complexity remains invisible. 

This combination dramatically reduces account takeover risk while improving usability—an outcome rarely achieved with traditional authentication methods.

Addressing the Perceived Security Risks

Despite these advantages, passkeys are sometimes criticized for not being “perfect.” In practice, most concerns fall into a few limited edge cases.

Edge Case #1: Protection of Synced Passkeys

Some worry about how synced passkeys—stored by platform providers such as Apple or Google, or protected by password managers—are secured. In reality, this risk is far lower than with passwords. Passwords can be easily phished, reused, or guessed. Passkeys, by contrast, are phishing-resistant by design and protected by strong cryptography. Compromising a passkey would require account takeover at the platform level or fraudulent key restoration—an attack that is orders of magnitude more complex.

Edge Case #2: Key Transport and Synchronization

While synchronization mechanisms may be proprietary, major platform providers use strong encryption for both passkeys and password synchronization today. The security posture is not weaker than existing password-based approaches—and in practice, significantly stronger.

Edge Case #3: Passkey Sharing

Yes, passkeys can be shared (for example, via AirDrop). But passwords can be shared just as easily—and unlike passkeys, passwords can also be brute-forced or guessed. Sharing does not negate the fundamental security improvements passkeys introduce.

Why Edge Cases Don’t Outweigh the Benefits

Risk awareness is important—but it must be balanced against impact.

Imagine securing a building with dozens of weak locks that can be broken with minimal effort. You’re offered a modern, high-security locking system that protects nearly every entry point—except one hard-to-reach window. Rejecting the entire upgrade because of that single edge case would leave all doors vulnerable.

That’s what happens when organizations dismiss passkeys due to rare scenarios while ignoring their massive reduction in attack surface.

Even when deployed alone, passkeys significantly improve security. In regulated or high-assurance environments, organizations can go further by combining device-bound passkeys, synced passkeys, and additional trust signals to address exceptional cases without sacrificing usability.

The Role of Passkeys Going Forward

One-time passwords (OTPs) and other MFA methods will continue to play an important role—particularly where regulatory or assurance requirements demand them. But passkeys are redefining the foundation of authentication by making strong security seamless for everyday access.

As an official distributor of OneSpan, Softprom helps organizations adopt passkey-based authentication in a way that aligns with compliance, risk management, and user experience requirements. With OneSpan’s FIDO-based solutions, businesses can move beyond passwords confidently—reducing fraud while improving digital trust.