Engineers Warned: Don't Use Passkeys for Encryption

The core issue arises from the WebAuthn PRF (Pseudo-Random Function) extension, which allows a deterministic encryption key to be derived from a passkey. While this enables novel uses, it dangerously ties the lifecycle of long-term data to an authentication credential that users perceive as ephemeral and easily replaceable. A user might delete a passkey during routine credential cleanup, unaware that it's the sole key to their encrypted backups for a messaging app or document service. When they later get a new device and restore their account, the passkey is gone, and the data encrypted with its derived key is permanently irrecoverable. This conflates two distinct cryptographic purposes: authentication and encryption. Authentication credentials like passkeys are designed for proving identity at a moment in time and are expected to be rotated or re-enrolled. Encryption keys for user data, however, must be durable and recoverable, a property passkeys inherently lack by design. There are legitimate, lower-risk uses for the PRF extension, such as unlocking a local credential manager vault. In these cases, the passkey-derived key is only used to decrypt the master key of a system that has its own robust recovery mechanisms, like a master password or dedicated recovery keys, preventing a single point of failure. Established best practices for protecting user data involve a dedicated key management lifecycle, entirely separate from authentication. This often involves a Key Management Service (KMS) or Hardware Security Module (HSM) to generate, store, and manage data encryption keys (DEKs). A standard, more resilient pattern is envelope encryption. In this model, a unique DEK is generated for the user's data. That DEK is then encrypted with a Key Encryption Key (KEK) managed by a KMS. This architecture allows for robust key rotation, access control, and, critically, recovery procedures that don't depend on the user's login credential.