The 7 Gaps
Passkeys are a genuine step forward for authentication security. But there are things they were never designed to do and as adoption accelerates, those gaps are coming into sharp focus.
1.
No human uniqueness verification
FIDO2 has no way to detect when the same individual registers multiple accounts across any number of devices. Multi-accounting fraud and ban evasion are invisible to it.
2.
Only as Secure as a PIN Code
Because FIDO2 includes a PIN fallback, device farms can authenticate at scale using scripted PINs — no face scan, no fingerprint, no limit on accounts created.
3.
No continuity of session
Once a user logs in, the passkey’s job is done. There’s no mechanism to verify whether the same person continues to hold the device, only that the device is still present.
4.
No link back to onboarding identity
After KYC, the cryptographic trust chain runs device-to-server, not person-to-server. PSD3 and NIST 800-63 now require proof of the person, passkeys alone can’t provide it.
5.
No age verification
There is no age in a cryptographic key. For gambling, alcohol retail, adult content, or regulated financial products, passkeys offer no compliance mechanism whatsoever.
6.
Limited account recovery
Cloud sync improves convenience but introduces risk: the security of every synced passkey is only as strong as the cloud account protecting it. Recovery proves cloud access, not identity.
7.
Ecosystem & transition friction
Passkeys aren’t fully portable across Apple, Google, and Microsoft. Platform migrations create a window that attackers actively exploit and weaker fallbacks get temporarily reinstated.
Each of these gaps has a solution. Passkeys Plus layers server-side facial verification onto your existing passkey implementation, closing all seven without replacing what you’ve already built.
Passkeys by Numbers
Passkeys solve the password problem. But they were never designed to verify the human holding the device.
"Passkeys confirm that an authorised device is present. They cannot confirm who is holding it."
ATO fraud in the US in 2024
passkey login success rate vs 63% for traditional authentication
of monitored organisations targeted for account takeover in 2024
What's in the Paper
A 16-page technical briefing written for security teams, product leaders, and architects evaluating passkey rollouts. Practical, not theoretical.
- Full threat model for each of the 7 gaps
- Privacy-preserving design: what's stored, what's deleted, and when
- The authentication vulnerability timeline: where risk opens after login
- How device-native biometrics fall short of emerging regulatory standards
- A three-way capability comparison: SMS / passkeys / passkeys + human verification
- How facial biometrics address each gap as a complementary layer
- PSD3, FFIEC, FinCEN, NIST 800-63 compliance implications