AI Agents Break Passkeys: 3 Solutions - News Directory 3

AI Agents Break Passkeys: 3 Solutions

October 1, 2025 Victoria Sterling Business
News Context
At a glance
  • This article discusses ⁤the promise ⁢and potential pitfalls of passkeys,the new authentication method designed to replace passwords.
  • * ⁤ Enhanced Security: Passkeys use public/private key cryptography, ⁣tied to a device (like a phone) or‍ cloud service (like iCloud or a password manager).
  • * meaningful Upgrade: ‍Passkeys are a significant improvement ⁣over passwords ⁣and customary authentication ⁣methods for human ‍users.
Original source: forbes.com

Summary‍ of the Article: Passkeys – A Fix for Today,a Problem for Tomorrow?

This article discusses ⁤the promise ⁢and potential pitfalls of passkeys,the new authentication method designed to replace passwords. ⁢Here’s a breakdown of the key points:

What are passkeys?

* ⁤ Enhanced Security: Passkeys use public/private key cryptography, ⁣tied to a device (like a phone) or‍ cloud service (like iCloud or a password manager). They eliminate the risk of phishing by removing shared⁤ secrets⁢ (passwords).
* Mutual Authentication: Both the website and the user prove their legitimacy.
* ⁣ Biometric Login: Typically secured with Face ID or fingerprint.

The good (for Humans):

* meaningful Upgrade: ‍Passkeys are a significant improvement ⁣over passwords ⁣and customary authentication ⁣methods for human ‍users.
* Addresses Old Problems: They solve the issues of password reuse and phishing that have plagued ⁤the internet for decades.

The Problem ⁢(for the Future with AI):

* Not ‍Designed for AI Agents: Passkeys are ‍built around authenticating ⁢ people, not software ⁤agents (AI).
* Limited Delegation Options: OAuth, a related standard, allows for delegated‍ access, but its rarely implemented (used on <1%⁢ of sites) and requires granular permissions which users are likely to circumvent.
* High-Risk ⁤Access: Giving AI agents full credentials ⁢or broad OAuth access is hazardous. AI operates at machine speed and scale, and a compromised agent coudl cause massive damage. It’s akin to reusing a password everywhere.
* Potential‍ for Replication & Impersonation: ⁤AI agents can replicate and⁤ be impersonated, expanding ‍the potential blast radius of a security breach.

A Recurring Pattern:

* Well-Intentioned ‍Backfires: The article points out a history of security measures (password rotations,MFA) that initially faced resistance but ultimately became necessary,often after unintended consequences were realized.
* Assumptions About Users: Passkeys assume the user is a person ⁤controlling a device or account. This assumption breaks down in an enterprise habitat where AI agents are acting autonomously.

How Passkeys Work (Technical Description):

* Public/Private Key Pair: Passkeys use a system where the server holds⁢ the public key and the device holds the private key.
* Signing Challenges: Login⁤ is achieved by the device signing a challenge⁤ with the private key, proving identity without revealing the key itself.

In essence, the article argues that while‍ passkeys are a great step forward for securing human accounts, they may create new vulnerabilities in a future increasingly reliant on AI‍ agents. They‍ fix the problems of the past but may break ⁣the‍ security of the next generation of the internet.

, , , , , , , ,