Original: Simon Willison · 27/02/2026
Summary
The article argues against using passkeys for encrypting user data, highlighting the risks of users losing their passkeys and the irreversible encryption of their data.Key Insights
“Because users lose their passkeys all the time, and may not understand that their data has been irreversibly encrypted using them.” — Discussing the risks associated with using passkeys for data encryption.
“To the wider identity industry: please stop promoting and using passkeys to encrypt user data.” — A plea to the identity industry regarding the use of passkeys.
Topics
Full Article
27th February 2026 - Link Blog Please, please, please stop using passkeys for encrypting user data (via) Because users lose their passkeys all the time, and may not understand that their data has been irreversibly encrypted using them and can no longer be recovered. Tim Cappalli: To the wider identity industry: please stop promoting and using passkeys to encrypt user data. I’m begging you. Let them be great, phishing-resistant authentication credentials. Posted 27th February 2026 at 10:49 pmRelated Articles
Google API Keys Weren’t Secrets. But then Gemini Changed the Rules.
Simon Willison · explanation · 40% similar
anti-patterns and patterns for achieving secure generation of code via AI
Geoffrey Huntley · explanation · 37% similar
Software development now costs less than than the wage of a minimum wage worker
Geoffrey Huntley · explanation · 36% similar
Originally published at https://simonwillison.net/2026/Feb/27/passkeys/#atom-everything.