Passkeys, the cryptographic alternative to passwords, have been rolled out across hundreds of major online services over the past few years. Backed by large technology companies, they are marketed as being safer and more convenient than traditional logins. Unlike passwords, which can be guessed, stolen, or phished, passkeys rely on encrypted credentials stored on a device and verified through biometrics or PINs. This shift has been hailed as a milestone toward a password-free internet, with millions of users already relying on the system for everyday accounts.
Looking beyond technical threats
While passkeys are designed to resist phishing and large-scale account takeovers, researchers warn that the technology may overlook a different class of risk. A new study led by Cornell University, together with partners at New York University and the University of Wisconsin, looked at what happens when digital security tools are used in the context of interpersonal abuse. These are situations where an attacker may be a partner, relative, or caregiver with physical or remote access to a victim’s devices. Unlike traditional hackers, such adversaries can exploit social proximity, coercion, or trust, creating attack surfaces that conventional security models rarely address.
A framework for identifying misuse
To investigate these overlooked risks, the researchers created what they call an “abusability analysis framework.” It is a six-stage process designed to uncover how security features, intended to protect accounts, can instead be repurposed for harm. The framework moves from defining possible threat models to testing real-world services and summarising abuse scenarios in plain terms. By applying this structured method, the team examined 19 popular platforms that already support passkeys, including large technology firms, retailers, and social apps.
Abuse pathways uncovered
Testing revealed seven main ways in which passkeys could be misused in abusive contexts. Some involved straightforward actions, such as adding an attacker’s fingerprint or face scan to a victim’s device. Others were more technical, including exporting a passkey through AirDrop or synchronisation tools so that it could be used from another device indefinitely. Attackers could also register their own passkey on a victim’s account or revoke legitimate ones remotely, leaving the account owner locked out.
The study also documented cases where passkey entries could be manipulated to display misleading information. Spoofed device names or login locations could make it harder for a victim to detect unauthorised access. Because many services do not provide detailed alerts when passkeys are added, removed, or exported, the abuse often remains invisible.
Scenarios drawn from everyday life
The researchers illustrated their findings through real-world scenarios that mirror daily digital interactions. In one case, a teenager copied a schoolmate’s Roblox login and used account settings to revoke all existing passkeys, cutting the victim off from their games with no recovery options. In another, a partner secretly exported a TikTok passkey from an unlocked phone using AirDrop, maintaining long-term access to private messages even after the victim reset their password. In workplace settings, colleagues were able to take advantage of unattended devices to register or exploit passkeys without the account holder’s knowledge.
These examples showed how interpersonal threats differ from anonymous cyberattacks. The abuse typically arises not from technical sophistication but from ordinary moments of shared access, such as borrowing a device or knowing a login code.
Inconsistent protections across services
A striking finding was how unevenly different platforms handle passkey management. Some companies offered basic protections such as email notifications when a passkey was added or revoked, while others gave no warning at all. Certain services did not allow users to revoke passkeys once created, or failed to terminate active sessions even after revocation. In several cases, cloned or exported passkeys continued to work with no way for the victim to detect or disable them.
The study also noted that service dashboards often use vague or misleading labels, such as generic device names, that obscure what credentials are active. Spoofing techniques, like changing a browser’s reported information or using a VPN, made it easy for attackers to disguise their activity further. These design flaws compounded the difficulty for victims trying to understand whether their accounts had been compromised.
Recommendations for safer design
To address these gaps, the researchers outlined practical steps that service providers could adopt. Clearer user interfaces for passkey management, consistent notifications when credentials are changed, and stricter limits on exporting or sharing passkeys were among the main suggestions. The study also urged companies to adopt the abusability analysis framework as part of their product testing. By simulating real-world abuse scenarios before rolling out new features, developers could reduce the risks that vulnerable users face.
Balancing benefits with social realities
Passkeys remain a promising step forward in defending against phishing and other technical threats, but the study highlights that technical strength is not the whole story. When a device or account is already exposed to someone within a victim’s social circle, the strongest cryptography cannot prevent misuse. The research shows that digital security must take social realities into account, ensuring that authentication tools work not only against remote attackers but also in the complex dynamics of personal relationships.
Notes: This post was edited/created using GenAI tools. Image: DIW-Aigen.
Read next: Tech Giants Share AI Environmental Costs, but Gaps Remain