Mr. Latte
The Hidden Danger of Passkeys: Why You Shouldn't Use Them for Encryption
TL;DR While passkeys are excellent for authentication, using their PRF extension to encrypt user data creates a massive risk of permanent data loss. Users routinely delete passkeys without realizing they are destroying the only decryption keys for their backups or crypto wallets. Developers should stick to using passkeys for phishing-resistant logins, not data encryption.
Passkeys have rapidly become the gold standard for secure, passwordless authentication. However, a troubling trend has emerged: developers are increasingly using the WebAuthn PRF (Pseudo-Random Function) extension to derive encryption keys from passkeys for end-to-end encryption, secure backups, and crypto wallets. While this seems like a clever way to unify login and encryption, it introduces a catastrophic UX flaw. We need to talk about why overloading authentication credentials with encryption duties is a recipe for disaster.
Key Points
The fundamental issue lies in the ‘blast radius’ of credential deletion. When a user cleans up their password manager, they might delete a passkey thinking it only affects their ability to log in, completely unaware that it also holds the key to their encrypted messages, photos, or digital currency. Current credential managers like Apple Passwords or Google Password Manager do not warn users that deleting a passkey will result in permanent data loss. Unlike credential managers that use PRF safely because they have robust fallback mechanisms like master passwords or recovery keys, standard apps lack these safety nets. Consequently, a simple routine cleanup can permanently lock a user out of their most sacred data.
Technical Insights
From an engineering perspective, the WebAuthn PRF extension is a powerful tool that allows a relying party to derive a symmetric key directly from the authenticator. It is tempting to use this for E2EE because it abstracts away key management, seemingly solving the ‘forgotten encryption password’ problem. However, this tightly couples authentication and data encryption—two domains with fundamentally different lifecycles and recovery models. Authentication credentials are meant to be replaceable via account recovery flows, whereas encryption keys must be durable and are often irreplaceable. By conflating the two, developers trade long-term data durability for short-term UX convenience, violating the principle of separation of concerns in security architecture.
Implications
The identity industry must pivot away from promoting passkeys as a silver bullet for data encryption and let them remain focused on phishing-resistant authentication. Developers who absolutely must use PRF for encryption need to implement aggressive UX warnings, provide dedicated support pages, and utilize the Well-Known URL for Relying Party Passkey Endpoints. Furthermore, credential manager vendors should prioritize adding specific warnings when users attempt to delete passkeys that utilize the PRF extension.
As we push for a passwordless future, we must ensure that convenience doesn’t come at the cost of catastrophic data loss. How can we build seamless end-to-end encryption experiences without tying them to disposable authentication tokens? It is time to rethink our approach to key management before users lose their digital memories forever.