By Contributor,Mark Kraynak

Copyright forbes

AI agents and users will collaborate to bend passkeys to their will, undermining the security gains passkeys represent.

Stop using passwords. That’s the advice from Apple, Google and Microsoft, all of which are pushing passkeys. Banking apps nudge customers to enable them. Retailers roll them out to cut fraud. After years of preaching about password hygiene, the industry has finally settled on passkeys as the way to drag authentication into the 21st century.

And in many ways, they do exactly that. Passkeys, which replace passwords with cryptography, solve two stubborn problems: authenticating users on websites and providing multi-factor authentication. The promise is better security with fewer headaches.

But there is a wrinkle. Passkeys are designed to authenticate human beings, not autonomous AI agents. And as enterprises start wiring AI into workflows, that mismatch is going to cause serious problems.

Passkeys in a Nutshell

The marketing pitch is straightforward: passwords are insecure, not to mention annoying. They are easy to phish, hard to remember and lead to endless resets. Forced rotations made things worse by encouraging users to scribble them on sticky notes or reuse them across sites, which in turn created the password manager market.

With passkeys, instead of a shared secret, the server stores a public key. The user’s device holds the private key, typically secured with a biometric login like Face ID or a fingerprint. When you log in, your device signs a challenge with the private key to prove you are who you say you are.

MORE FOR YOU

This eliminates phishing for shared secrets and creates mutual authentication: the site proves it is legitimate, and you prove you are the intended user. That closes a loophole that attackers have exploited for decades.

On paper, it’s a win. In practice, it simply trades one dependency for another. Instead of protecting passwords, you are now protecting the device or cloud service that stores your private key. If that is iCloud, then the security of your passkeys is only as strong as Apple’s policy requiring two-factor authentication on your account. If that is a password manager, then the passkey is potentially ultimately gated by, yes, a password.

Still, compared with the alternatives, passkeys are a meaningful upgrade… for human users.

Where AI Comes In

Passkeys are tied to people and devices, but they are not designed to authenticate software agents that act on a user’s behalf. If you want an AI agent to complete a workflow that requires authentication, there aren’t currently any great options. OAuth, an authentication standard associated with passkeys, does have an option for “delegated access.” It is most commonly used for social login and while adopted widely on the largest internet sites, it’s only active on just more than 1% of sites.

Further, using this would require the delegator (the human) to provide granular details on what an agent could do. Based on past mainstream user behavior, that’s likely to cause new unintended consequences due to users working around that friction, like the ubiquitous Post-it notes on monitors with user passwords for the taking. Outside of that, users have essentially two options: deny the agent access, or hand it full credentials (or full access via OAuth delegation).

But handing an agent your credentials rather than limited access for a specific task creates a new category of risk. AI agents operate at machine speed and scale. Given too much access, they can pull data from systems faster than any human could. If they replicate themselves into sub-agents, or if malicious actors create an agent to impersonate your agent, the blast radius grows dramatically. You end up with the digital equivalent of a password reused everywhere, the exact pattern the industry has been trying to end for decades.

In other words, passkeys fix the problems of the last generation of the internet, but they may break the next one.

A Familiar Pattern

This would not be the first time a well-intentioned security control backfired. Forced password rotations were once considered best practice. Once implemented, however, they spawned insecure behaviors. Users wrote them down, picked predictable sequences or stuck to a handful of minor variations.

Multi-factor authentication faced similar resistance. A decade ago, many consumer sites considered MFA a non-starter because they believed any sign-in friction would cause user abandonment. They were right, but the fraud and compromise rates eventually made MFA unavoidable.

Passkeys are the next iteration of this cycle. They are marketed as the solution to phishing and weak passwords, and to some extent, they are. But their design assumes a user is a person holding a device or in control of a cloud account like iCloud or a password manager. That assumption will not hold in an enterprise where AI agents negotiate contracts, manage supply chains or reconcile invoices.

How Passkeys Really Work

Understanding why requires digging into the mechanics.

A password is a single factor, a shared secret between the user and the server. Passkeys eliminate shared secrets by splitting the credential into a public/private key pair. The server holds the public key, which anyone can know. The device holds the private key, which is used to sign challenges during login.

That design is what enables phishing resistance. An attacker cannot simply trick you into handing over your private key because the private key never leaves the device.

But the device-centric model becomes a problem when the “user” is not a person with a smartphone, but an AI agent running somewhere else. The agent cannot present a biometric factor. It cannot store a passkey on an iPhone. It cannot sync with iCloud (well, it shouldn’t be able to do this, and if it does, it would get full access). The workaround becomes predictable: humans will proxy their credentials to agents. Which is to say, the desire to use AI will put us back to square one on login security.

Over-permissioned by Design

Once agents have human credentials, they inherit all the privileges of the human account. That is convenient, but it is also dangerous. The history of security is filled with examples of over-permissioned accounts being abused. AI simply accelerates the timeline.

If an agent is given a passkey tied to a CFO’s device, it could potentially initiate transactions or access sensitive records well beyond the intended scope of a specific task. If that agent spawns sub-agents and hands off the same credentials, or worse, a bad actor creates an agent to impersonate the good agent (and I’m certain these kinds of attacks are on the way), the sprawl multiplies.

This is the “recipe for disaster” moment. Passkeys, meant to eliminate insecure behavior, are likely to incentivize new insecure behaviors that arguably will be worse because of the power of the AI they are meant to enable.

Implications for Enterprises

For businesses, the stakes are clear.

Operational risk: Outages caused by expired or mismanaged credentials are common enough with human users. Add AI into the mix, and the pace and scale of mistakes increase.

Compliance risk: Regulators expect audit trails showing who did what, when. If an agent is using a human’s credentials, you lose that attribution.

Security risk: Agents armed with human-level access become high-value targets for attackers. Compromise one, and you compromise the account behind it.

In other words, passkeys may solve phishing, but they create new questions about identity, accountability and privilege in an AI-driven environment.

What Needs to Change

The fundamental issue is that passkeys bind identity to a device and a person, not to an autonomous system. Solving this requires a new approach:

Agent-specific identities: Instead of proxying human credentials, agents should have their own cryptographic identities with limited, auditable permissions.

Intent-based authorization: Access decisions should account for what the agent is trying to do, not just who it represents.

Stronger governance: Organizations need policies that prevent uncontrolled credential sharing and track agent activity with the same rigor as human users.

These are not small changes. They imply new standards, new infrastructure and likely new categories of vendors. But without them, enterprises risk repeating the mistakes of the password era at machine scale.

As AI agents become a fixture in business operations, the limitations of passkeys will become more apparent. What was once a long-awaited security win will turn into a security liability if the industry does not adapt.

Editorial StandardsReprints & Permissions