Google And Microsoft Warn Passkeys May Not Stop Hackers

InnovationCybersecurityGoogle And Microsoft Warn Passkeys May Not Stop HackersByZak Doffman,Contributor.Forbes contributors publish independent expert analyses and insights. Zak Doffman writes about cybersecurity, surveillance and privacy.Follow AuthorMay 11, 2026, 01:53am EDT--:-- / --:--This voice experience is generated by AI. Learn more.This voice experience is generated by AI. Learn more.Passkeys may not stop hackers.gettyPasskeys are supposed to replace passwords and stop phishing attacks. But Google and Microsoft warn that passkeys alone are not enough if weaker recovery methods remain attached to accounts. “Each account is only as secure as its weakest credential,” Microsoft says, warning that passwords and SMS recovery options can become a new attack surface even after passkeys are deployed.“Passkeys are an easier and safer way to access online accounts compared to passwords,” Google says, “and even traditional multi-factor methods.” But passkeys are not 100% safe on their own. In a new warning to its account holders, Google says “even when you normally use a passkey, it’s important to secure your account with two-step verification (2SV)." You need this in case “someone tries to impersonate you and claims to have lost your passkey."Forbes‘A Big Deal’—Google’s Gmail Upgrade Is Now Going LiveBy Zak DoffmanIf there is an automated recovery process that exploits weaker credentials to bypass a passkey, then that passkey is not 100% safe — it really is that simple. Attackers can target recovery flows and fallback credentials instead of passkeys.This is an interesting twist — because much of the rhetoric is that a passkey alone is enough. But Microsoft flags account recovery as a new attack surface, as the surge in passkey use shuts down traditional attack methods. MORE FOR YOU“Deploying passkeys improves sign-in," Microsoft says. "But most accounts still have a password or SMS method attached 'just in case’ — and as long as those credenti...