Passkeys are being promoted as the future of online security.
Unlike passwords, they promise stronger protection against hacking and phishing while making logins simpler for everyday users.
But a new study warns that these tools may also create hidden risks, especially in abusive relationships.
The research, presented August 15 at the 2025 USENIX Security Symposium in Seattle, comes from a team at Cornell Tech, New York University, and the University of Wisconsin.
Led by Ph.D. candidates Alaa Daffalla and Arkaprabha Bhattacharya, along with professors Thomas Ristenpart and Nicola Dell, the study is the first to examine how passkeys might be weaponized in contexts such as intimate partner violence, elder abuse, and human trafficking.
“As new authentication mechanisms are rolled out by tech companies, it’s crucial to consider how they might be exploited to enable interpersonal abuse,” Dell said.
To uncover these risks, the team created a six-step “abusability analysis” framework—an approach that helps researchers identify how features designed for safety and convenience could still be misused.
They applied the framework to 19 popular services that already support passkeys, including Google, Amazon, PayPal, and TikTok.
The results were unsettling. The researchers identified seven distinct ways abusers could exploit passkeys.
Some were simple, like quietly adding their fingerprint to a victim’s device. Others were more advanced, such as exporting a passkey to another device using AirDrop or cloud syncing.
In one scenario, an abuser who briefly accessed an unlocked phone could steal a passkey and secretly monitor the victim’s accounts over time. In another, attackers could remotely revoke a victim’s passkeys, locking them out of their own accounts.
Across the board, many services failed to provide alerts when these changes occurred. Victims often had no way to detect suspicious activity or regain access once locked out.
The study also found inconsistencies between platforms: some lacked tools to revoke or manage passkeys, while others allowed device names or locations to be disguised, making it harder to spot abuse.
To address these risks, the researchers recommend that companies improve user interfaces for managing passkeys, send clearer notifications when credentials are changed, and impose stricter limits on exporting or sharing passkeys.
They also urged tech companies to adopt the abusability analysis framework during development to identify risks before rolling out new features.
The findings highlight an important truth: strong technology doesn’t always mean strong protection in real life.
While passkeys are powerful against phishing and hacking, they can still be turned into tools of control in abusive situations. By centering the needs of vulnerable users, the researchers say, tech companies can build digital systems that are not only secure but truly safe.
