Passkeys Pose Hidden Risks in Abusive Relationships

A new study reveals that passkeys - widely promoted as a safer login method compared with passwords - may unintentionally expose users to serious risks in situations involving interpersonal abuse. The research introduces the first framework for analyzing how digital authentication tools can be exploited in contexts such as intimate partner violence, elder abuse and human trafficking.

The study was presented Aug. 15 at the 2025 USENIX Security Symposium in Seattle. The research was led by Ph.D. candidates Alaa Daffalla and Arkaprabha Bhattacharya; Thomas Ristenpart, professor at Cornell Tech and the Cornell Ann S. Bowers College of Computing and Information Science; Nicola Dell, associate professor at Cornell Tech; and researchers at New York University and the University of Wisconsin, Madison.

"As new authentication mechanisms are rolled out by tech companies, it's crucial to consider how they might be exploited to enable interpersonal abuse," said Dell, who is also affiliated with Cornell Bowers. "Our goal in this study is to discover how passkeys might be abused, with the hope of helping to make passkeys safer for everyone in the future."

To investigate the potential for harm, the team developed a six-stage "abusability analysis" framework. This approach helps researchers and product teams identify how features designed for convenience or security might be misused by someone with physical or remote access to a victim's device. The framework was applied to 19 widely used services that support passkeys, including platforms like Google, Amazon, PayPal, and TikTok.

The research team uncovered seven distinct ways that passkeys could be misused in abusive contexts. These "abuse vectors" ranged from relatively simple tactics - like adding an attacker's fingerprint to a shared device - to more technical maneuvers, such as cloning a passkey to another device using AirDrop or cloud synchronization. In some cases, attackers could even manipulate the appearance of account security settings to mislead or intimidate victims.

One scenario explored in the study involved an attacker who, after briefly accessing a victim's unlocked phone, exported a passkey and used it to quietly monitor the victim's account activity over time. In another, an attacker logged into a victim's account remotely and revoked their passkeys, effectively locking them out with no clear path to recovery. Across the board, the researchers found that many services failed to notify users when these changes occurred - or offered no tools to detect or undo them.

The team's findings point to widespread inconsistencies in how passkeys are implemented and managed across platforms, the researchers said. Some services lacked basic features like passkey revocation or session management. Others allowed attackers to spoof device names or login locations, making it difficult for victims to recognize when something was wrong. In many cases, users had no way to see whether their accounts had been compromised at all.

To help address these gaps, the researchers outlined a set of practical recommendations. These include improving user interfaces for managing passkeys, sending clear notifications when credentials are added or removed, and placing tighter restrictions on how passkeys can be exported or shared. They also urged companies to adopt the abusability analysis framework as part of their product development process, so they can identify and mitigate potential risks before new features go live.

While passkeys offer strong protection against phishing and other technical threats, the study emphasizes that security tools must also account for the social dynamics of abuse. By centering the needs of at-risk users, the research provides a roadmap for building safer, more inclusive digital authentication systems, the researchers said.

This research is supported in part by the Baldwin Wisconsin Idea Grant, the National Science Foundation and the Google Cyber NYC Program.

Grace Stanley is a staff writer-editor for Cornell Tech.

/Public Release. This material from the originating organization/author(s) might be of the point-in-time nature, and edited for clarity, style and length. Mirage.News does not take institutional positions or sides, and all views, positions, and conclusions expressed herein are solely those of the author(s).View in full here.