The reported security concern revolves around the use of passkeys—cryptographic credentials designed to replace traditional passwords—in the context of abusive relationships. Passkeys leverage public-key cryptography to provide a more secure and phishing-resistant authentication mechanism. However, researchers have identified hidden risks when passkeys are used by individuals in abusive or coercive interpersonal situations. In such scenarios, an abuser may gain unauthorized access to a victim's devices or accounts by exploiting the persistent and device-bound nature of passkeys. Unlike passwords, which can be changed or reset, passkeys are often tied to a user's hardware and biometric or PIN authentication, potentially making it difficult for victims to revoke access or detect unauthorized use. The threat is not a technical vulnerability in the passkey protocol itself but rather a socio-technical risk arising from the way passkeys are managed and controlled on devices. This can lead to situations where an abuser, having physical or remote access to a victim's device, can authenticate as the victim without their knowledge or consent, thereby compromising confidentiality and privacy. The issue highlights the need for awareness and additional protective measures for vulnerable users, especially in contexts where coercion or abuse is present. It is a medium-severity concern because it does not stem from a cryptographic failure but from the interaction between technology design and human factors in sensitive environments.

For European organizations, the direct technical impact of this threat is limited since it primarily concerns individual users in abusive relationships rather than systemic vulnerabilities in enterprise systems. However, organizations that provide authentication services, identity management, or user support may face increased demand for features that allow victims to regain control over their accounts and devices. Privacy and data protection regulations in Europe, such as GDPR, emphasize user rights and data security, so organizations must consider these socio-technical risks when deploying passkey-based authentication. Failure to address these concerns could lead to reputational damage, legal liabilities, and erosion of user trust, especially for service providers catering to vulnerable populations. Additionally, organizations involved in employee security awareness and support should incorporate guidance on the risks of passkeys in abusive contexts to protect staff members. Overall, the impact is more social and user-centric than a direct threat to organizational IT infrastructure.

Mitigation should focus on empowering users and service providers to handle passkey-related risks in abusive situations. Specific recommendations include: 1) Implementing easy-to-use account recovery and passkey revocation mechanisms that do not rely solely on the compromised device or biometric factors. 2) Providing clear user education and warnings about the risks of device-bound authentication in coercive environments. 3) Offering alternative authentication options or emergency access controls that victims can use to regain control without alerting abusers. 4) Encouraging organizations to integrate support channels for users facing abuse, including confidential help and guidance on securing accounts. 5) Designing passkey management interfaces that allow users to view and remove registered devices and credentials remotely. 6) Collaborating with advocacy groups and legal entities to raise awareness and develop best practices for protecting vulnerable users. These measures go beyond generic advice by addressing the unique challenges posed by passkeys in abusive relationships and focusing on user empowerment and support.