March 28, 2025

Passkeys: 7 Possible Downsides for SMBs

Passkeys offer massive user authentication and manageability advantages over passwords that ensure their ongoing adoption. But as an emerging technology some drawbacks remain. 

This article discusses seven potential downsides with passkey implementation that may be important considerations for SMBs. 

One: Account recovery is still tied to passwords and/or user IDs

Passkeys do not require an identifier like a username or email address, making possible usernameless authentication. But being device- or platform-specific, passkeys can require specific hardware for authentication to succeed, such as your smartphone. 

Therefore, if your device is lost or bricked you could lose passkey access to those accounts. This creates a need for website owners and credential management vendors (e.g., Google, Apple, Microsoft, 1Password, LastPass) to communicate with users for account recovery, such as by email or SMS. 

The resulting passkey account recovery scenarios mirror today’s password recovery setups. Far from being disabled, passwords may still play a key role (or fallback role) in helping passkey users recover their credentials.
“Account recovery is definitely the weak link [compared with passkey authentication] because right now it’s just whatever already existed with passwords,” says Anna Pobletts, Head of Passwordless at 1Password. “How can passkeys somehow make that recovery process better? I don’t think there’s a great answer for that right now—but we’re working on it.”

Two: Support and compatibility across platforms, devices, apps, and services is inconsistent.

While their base of support is growing rapidly, passkeys still aren’t supported across all devices, websites, credential managers, etc. For example, to use passkeys with your smartphone it needs to have the required hardware features, such as face, fingerprint, and/or other biometric recognition options. This could be an issue if some users need to stick with older devices.
For SMBs building passkey authentication into their own applications, ensuring that passkeys work smoothly when users switch devices, especially across platforms (e.g., from a Windows laptop to an iPhone) has been a notable technical challenge for development teams. 

Three: Vendor lock-in is difficult to avoid.

Passkey implementations can result in vendor lock-in, where it can be difficult to move passkeys between different platforms, such as between Android and Apple. 

For example, within the Apple ecosystem, you can store passkeys on your iCloud keychain. This makes them accessible to your other Apple devices but not Windows or Android devices. As a result, users may need multiple passkeys to access the same site from different devices. 

Another option can be to use a cross-platform credential manager like 1Password or Bitwarden. But these can create their own form of lock-in—supporting multiple devices but not necessarily making it easy to switch to a new credential manager.

To address vendor lock-in issues at the standards level, the FIDO Alliance has published a working draft of the Credential Exchange Protocol (CXP) specification, which defines a standardized approach for users to transfer passkeys between supported platforms quickly and securely. 

Four: Some passkey implementations may require extra hardware or software.

Some passkey implementations may require users to have specific hardware security modules, such as:

  • Trusted Platform Modules (TPMs)
  • Trusted Execution Environments (TEEs) or Secure Enclaves
  • Physical security keys

These hardware security modules protect users’ private passkey elements from exposure if their device is compromised. This helps ensure highly secure passkey authentication.  

However, utilizing this additional hardware and possibly software can add to passkey transition costs. 

Five: User adoption, user experience, and user education can all present challenges.

The password metaphor has been around for decades, and some users may experience the transition to passkeys as intimidating, inconvenient, or confusing. Users may also have privacy concerns about passkeys’ reliance on biometric data.  

Whatever an SMB’s passkey adoption experience, user education will likely be important to inform users about passkeys, how they work, and their benefits and advantages. Education and awareness are important for a positive user experience and to maintain strong cybersecurity controls and processes.

“There are a lot of people who still don’t know about passkeys and a lot of businesses that don’t really understand the technology,” Anna Pobletts observes. “It takes education and awareness to make sure people see that passkeys are here and ready to use and they’re exciting and worth giving it a try.”

Six: Most SMB security policies haven’t caught up with passkeys.

Most SMB security policies were not created with passkeys in mind. Many SMBs will need to update their security policies around authentication and authorization to encompass passkey usage. Some potential issues include:

  • Passkey storage is not straightforward as it could be tied to personal devices and cloud-based credential managers like iCloud Keychain or Google Password Manager. It could be difficult for employees to keep personal and corporate passkeys completely separate, especially in a BYOD environment. 
  • Passkeys are a form of two-factor authentication (2FA) but effectively work as a single factor. For example, most passkey setups require a combination of something you have (your device) and something you are (your biometric data). But, unlike passwords, passkeys eliminate the “something you know” factor. Some security policies may need to be rewritten to recognize a passkey as valid 2FA. 
  • Losing access to a passkey and “resetting” a passkey is different from losing a password and will require a different procedure.

Seven: Sharing passkeys is a pain.

Passkeys are device-specific, often reliant on biometrics, and thus not designed to be easily shared. But some limited passkey sharing is possible. For example:

  • Google lets you scan a single-use QR code with a phone to gain access to your account on a nearby shared or borrowed device without storing any passkeys on it. Both devices need to be within Bluetooth range to block the threat of remote attacks.
  • Apple currently allows you to AirDrop a shared passkey with people in close physical proximity to your device. 

If you share accounts with family members or others, you might need to keep passwords active for those accounts so you can continue to share them using passwords. Obviously, this is much less secure than passkeys but can work as a fallback or for sharing less sensitive accounts.

What’s next?

For more guidance on this topic, listen to Episode 149 of The Virtual CISO Podcast with guest Anna Pobletts, Head of Passwordless at 1Password.