Subscribe to the Non-Human & AI Identity Journal
Home FAQ Authentication, Authorisation & Trust Why do passkeys improve security but not eliminate…
Authentication, Authorisation & Trust

Why do passkeys improve security but not eliminate identity risk?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 6, 2026 Domain: Authentication, Authorisation & Trust

Passkeys remove the shared secret that attackers usually steal, guess, or phish, which is a major improvement. But identity risk shifts into device trust, account recovery, enrolment, and fallback. If those controls are weak, an attacker can still gain access without ever defeating the passkey cryptography itself.

Why This Matters for Security Teams

Passkeys significantly reduce phishing and password theft, but they do not end identity risk. The weak point moves from a reusable shared secret to the surrounding identity lifecycle: device enrolment, account recovery, synced credentials, help desk workflows, and fallback authentication. That matters because attackers rarely need to break the cryptography if they can compromise the process around it. NIST’s Cybersecurity Framework 2.0 still expects organisations to govern identity, recovery, and access continuously, not treat authentication as a one-time event.

For teams already dealing with secret sprawl and over-privileged accounts, passkeys are an improvement, not a complete control plane. NHIMG research shows the broader identity problem remains severe: in the Ultimate Guide to NHIs, 97% of NHIs carry excessive privileges, which is a reminder that stronger login factors do not automatically reduce privilege risk. In practice, many security teams encounter compromise only after recovery channels or device trust have already been abused, rather than through intentional testing of the full identity journey.

How It Works in Practice

Passkeys improve authentication by replacing passwords with cryptographic proof held on a device, often bound to biometrics or local device unlock. That removes the most commonly stolen credential class and makes classic phishing much harder. But the security outcome depends on how the passkey is enrolled, where it is stored, and what happens when the user changes devices, loses a phone, or calls the help desk.

In operational terms, teams should treat passkeys as one layer in an identity system that still needs strong governance. Current best practice is to combine passkeys with:

  • Strong device attestation and endpoint posture checks before enrolment.
  • High-assurance recovery paths with clear proofing standards.
  • Step-up verification for sensitive actions, not just initial login.
  • Monitoring for enrolment changes, fallback activation, and unusual recovery events.
  • Least-privilege access so a single identity compromise does not expose everything.

This is where the broader NHI problem remains relevant. The Ultimate Guide to NHIs — Key Challenges and Risks highlights how lifecycle gaps, rotation failures, and poor visibility often drive incidents. For human identity, the same logic applies: if recovery and fallback are weak, an attacker may enroll a new device, hijack a session, or exploit social engineering instead of defeating passkey cryptography. Guidance from the NIST Cybersecurity Framework 2.0 supports continuous verification, not trust based solely on a successful login. These controls tend to break down in large enterprises with outsourced service desks because identity proofing becomes inconsistent across regions and support tiers.

Common Variations and Edge Cases

Tighter passkey enforcement often increases recovery friction, so organisations have to balance user convenience against account takeover resistance. That tradeoff becomes most visible when users lose devices, switch platforms, or need shared access in managed environments.

There is no universal standard for this yet, but current guidance suggests a few recurring edge cases deserve special handling. Synced passkeys can improve usability, yet they shift trust to the sync provider and the surrounding account protections. Shared family devices, contractor onboarding, and BYOD scenarios also complicate attestation and recovery. In regulated environments, security teams may need to keep a password or hardware-key fallback temporarily, but that fallback should be governed as a high-risk path with logging, alerts, and expiry. NHIMG’s 52 NHI Breaches Analysis reinforces a broader lesson: attackers usually exploit the weakest operational control, not the strongest cryptographic one.

Passkeys are also not a substitute for identity governance in workloads, APIs, or machine-to-machine access, where different controls such as secrets rotation and workload identity are still required. The practical goal is to reduce phishing and password abuse while keeping recovery, enrolment, and fallback equally defensible. In mixed environments, the risk usually returns through the exception path, not the passkey itself.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Passkeys still rely on identity assurance and access decisions.
OWASP Non-Human Identity Top 10NHI-07Fallback and recovery paths mirror NHI lifecycle and access weaknesses.
NIST AI RMFThe question is about managing identity risk across the full lifecycle.

Inventory fallback identity paths and remove any recovery flow that bypasses strong verification.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org