Please, please, please stop using passkeys for encrypting user data (https://blog.timcappalli.me/p/passkeys-prf-warning/)

Because users lose their passkeys all the time, and may not understand that their data has been irreversibly encrypted using them and can no longer be recovered.

Tim Cappalli:

To the wider identity industry: please stop promoting and using passkeys to encrypt user data. I’m begging you. Let them be great, phishing-resistant authentication credentials.

Via lobste.rs (https://lobste.rs/s/tf8j5h/please_stop_using_passkeys_for)

Tags: security (https://simonwillison.net/tags/security), usability (https://simonwillison.net/tags/usability), passkeys (https://simonwillison.net/tags/passkeys)