Please, please, please stop using passkeys for encrypting user data
Summary
Tim Cappalli, writing on February 27, 2026, urges the identity industry to cease using passkeys for encrypting user data. He emphasizes that users frequently lose their passkeys and often do not comprehend that their data, once encrypted with a lost passkey, becomes permanently unrecoverable. Cappalli advocates for passkeys to be exclusively utilized as phishing-resistant authentication credentials, highlighting their effectiveness in that specific role. The core message is a plea to prevent irreversible data loss scenarios stemming from the misuse of passkeys for encryption rather than their intended purpose of authentication.
Key takeaway
For CTOs and VPs of Engineering evaluating identity management strategies, you should strictly limit passkey usage to authentication. Do not implement passkeys for encrypting user data, as this creates an unacceptable risk of irreversible data loss when users inevitably misplace their passkeys. Focus on leveraging passkeys for their intended benefit: robust, phishing-resistant user authentication.
Key insights
Passkeys should be used for phishing-resistant authentication, not for encrypting user data due to recovery risks.
Principles
- Passkeys are for authentication.
- Lost passkeys mean lost data.
In practice
- Implement passkeys for authentication.
- Avoid passkeys for data encryption.
Topics
- Passkeys
- User Data Encryption
- Authentication Credentials
- Data Recovery
- Phishing Resistance
Best for: CTO, VP of Engineering/Data, Security Engineer, Software Engineer, Product Manager
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Simon Willison's Weblog.