Why Passkeys Aren't Ready for Encrypting Your User Data (Yet)
Passkeys are everywhere. GitHub uses them. Google pushes them. Your password manager probably nags you about them. They're the future of authentication, right? Well, yes and no. While passkeys are excellent for passwordless login, there's a critical limitation developers need to understand: don't use them to encrypt user data. Here's why: Passkeys rely on the WebAuthn API's PRF (Pseudo-Random Function) extension to derive encryption keys. Sounds solid, but there's a catch—PRF support is inconsistent across platforms. Your users might authenticate successfully with a passkey but fail to decrypt their data because their device doesn't support PRF. Imagine building an end-to-end encrypted notes app. A user creates an account on their MacBook (PRF supported), encrypts their notes, then tries to access them from their iPhone (PRF might not work). Boom. Data inaccessible. Your support inbox explodes. The safer approach: Use passkeys for authentication, but handle encryption separately with t
Continue reading on Dev.to Webdev
Opens in a new tab
