Notifications
Clear all
Topic starter
24/06/2026 7:18 pm
TL;DR: Passkeys reduce phishing and credential theft, but recovery flows remain the weak point when accounts still rely on passwords, SMS codes, or email-based fallback checks, according to 1Kosmos citing Microsoft and Google. Strong identity assurance must extend to recovery, or attackers will route around passwordless controls.
NHIMG editorial — based on content published by 1Kosmos: According to Microsoft and Google, passkeys alone aren't enough to stop hackers
Questions worth separating out
Q: How should security teams handle recovery for passkey-protected accounts?
A: They should govern recovery as a separate assurance flow, not a convenience feature.
Q: Why do passkeys still leave account takeover risk in place?
A: Passkeys remove reusable secrets from login, but they do not eliminate weaker alternate paths attached to the same account.
Q: What do teams get wrong about passwordless authentication?
A: They often treat primary authentication as the whole problem and ignore reset, support, and lost-device flows.
Practitioner guidance
- Remove phishable recovery methods from passwordless accounts Eliminate SMS, email-link, and knowledge-based recovery for accounts that use passkeys, especially where access reaches sensitive systems or privileged workflows.
- Treat help desk reset as privileged access Apply explicit verification steps, audit logging, and escalation rules to support-mediated recovery so it cannot override stronger authentication controls by exception.
- Bind recovery to proofed identity records Use government ID verification and biometric checks where appropriate so a recovered account is tied back to the same assurance standard used at enrollment.
What's in the full article
1Kosmos's full article covers the operational detail this post intentionally leaves for the source:
- Government ID and biometric recovery workflow examples that show how proofing is applied in practice
- Specific help desk reset scenarios where weak fallback methods are removed from the recovery path
- Deployment detail on how reusable identity is applied across onboarding, authentication, and account recovery
- Reference points for aligning recovery design with NIST 800-63 and high-assurance identity assurance
👉 Read 1Kosmos's analysis of passkey recovery risk and identity assurance →
Passkeys and account recovery: where identity controls still fail?
Explore further
25/06/2026 4:32 am
Passkeys do not fail first at authentication. They fail when recovery is treated as a lower-assurance exception. The article shows the core governance problem: organisations modernise the front door while leaving the back door governed by older, weaker proofing methods. That creates a split assurance model inside the same account lifecycle. Practitioners should recognise recovery as the control that determines whether passwordless is real or cosmetic.
A few things that frame the scale:
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to The 2024 Non-Human Identity Security Report.
- Only 35.6% of organisations cite managing consistent access across hybrid and multi-cloud environments as their top NHI security challenge, according to Aembit's 2024 research.
A question worth separating out:
Q: How can organisations tell whether recovery controls are strong enough?
A: A practical test is whether an attacker could recover access without defeating the passkey or presenting the same level of proof required at enrollment. If recovery can be completed through easily obtained personal data, SMS, or informal support intervention, the control is not strong enough for high-assurance accounts.
👉 Read our full editorial: Passkeys alone do not close the account recovery attack path
