Please, please, please stop using passkeys for encrypting user data

· Source: Simon Willison's Weblog · Field: Technology & Digital — Cybersecurity & Data Privacy, Software Development & Engineering · Depth: Intermediate, quick

Summary

Tim Cappalli, writing on February 27, 2026, urges the identity industry to cease using passkeys for encrypting user data. He emphasizes that users frequently lose their passkeys and often do not comprehend that their data, once encrypted with a lost passkey, becomes permanently unrecoverable. Cappalli advocates for passkeys to be exclusively utilized as phishing-resistant authentication credentials, highlighting their effectiveness in that specific role. The core message is a plea to prevent irreversible data loss scenarios stemming from the misuse of passkeys for encryption rather than their intended purpose of authentication.

Key takeaway

For CTOs and VPs of Engineering evaluating identity management strategies, you should strictly limit passkey usage to authentication. Do not implement passkeys for encrypting user data, as this creates an unacceptable risk of irreversible data loss when users inevitably misplace their passkeys. Focus on leveraging passkeys for their intended benefit: robust, phishing-resistant user authentication.

Key insights

Passkeys should be used for phishing-resistant authentication, not for encrypting user data due to recovery risks.

Principles

In practice

Topics

Best for: CTO, VP of Engineering/Data, Security Engineer, Software Engineer, Product Manager

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Simon Willison's Weblog.