Please, please, please stop using passkeys for encrypting user data
12 hours ago
- #data security
- #encryption
- #passkeys
- Concerns about users losing important data due to passkeys and PRF extension usage.
- PRF extension is being used for encryption in various applications like message backups, end-to-end encryption, and crypto wallets.
- Overloading authentication credentials for encryption increases risks of data loss.
- Example scenario: User deletes a passkey, leading to irreversible loss of encrypted backups.
- Current UI lacks sufficient warnings about the critical role of passkeys in data encryption.
- Legitimate uses of PRF include credential manager and OS support, which have robust recovery options.
- Call to action: Stop using passkeys for encrypting user data; improve warnings and user education.