Tech News
← Back to articles

What if your passkey device is stolen? How to manage risk in our passwordless future

2025-10-31 | original
read original related products more articles

Yuliya Taba/Getty Images

Part of the "passkeys are more secure than passwords" story is derived from the fact that passkeys are non-human-readable secrets -- stored somewhere on your device -- that even you have very limited access to.

OK, so what happens to those passkeys if your device is stolen?

Over on Spiceworks.com, ZDNET's sister site for IT professionals, a community member posed some insightful passkey edge case questions regarding my ZDNET story about the industry needing to get its passkey story straight if the relatively new authentication technology is to stand any chance of fulfilling its ambitions to replace passwords.

Also: How passkeys work: The complete guide to your inevitable passwordless future

In one of those questions, Spiceworks member GMXOasked, "What if the device is stolen? How do I prevent the thief from exploiting [any passkeys that are stored on it]?" Code98765, another member, noted that "these edge cases don't get talked about enough."

In most circumstances, once you've enrolled a passkey to work with a certain website or app, your device has everything it needs to sign into that site or app. It's not much of a leap, then, to regard a passkey's relationship to your device as if it were a keyfob to your car. So, for anybody just starting out with passkeys, "what if the device is stolen?" is a pretty obvious question to ask. But unlike the keyfob to your car, which gives the thief everything needed to steal the car, there are a variety of obstacles that should prevent a thief from using your "stolen" passkeys to access your accounts.

Spiceworks member m@ttshaw, who self-identifies as a solution architect from the UK, correctly responded that it's "dependent on the security used to protect the passkeys on that device."

Another member from the UK -- itskieran -- chimed in that "if you can remotely wipe your phone and/or it's protected by a strong PIN or password and set to auto-wipe after a certain number of attempts, then you should be safe. Also, at least on Android, you have to authenticate with your biometrics a second time to allow the passkey to be used."

Also: I replaced my Microsoft account password with a passkey - and you should, too

... continue reading

Related:
The World's Tallest Chip Defies the Limits of Computing: Goodbye To Moore's Law?
Bluetui – A TUI for managing Bluetooth on Linux
iOS 26.2 could add 30-day AirDrop pairing option between devices
Apple may release its first 'low-cost' Mac laptop in early 2026
Will DJI drones soon be banned in the US? Here's what we know

© 2025 GoKawiil