According to Microsoft and Google, Passkeys Alone Aren't Enough to Stop Hackers

A recent Forbes article highlighted a critical warning from Google and Microsoft: passkeys alone may not stop hackers. While passkeys represent a major leap forward in authentication security, both tech giants are now cautioning that the weakest link isn't the passkey itself; it's what happens when users need to recover their accounts.

As Microsoft puts it: "Each account is only as secure as its weakest credential."

The hidden vulnerability: account recovery

The problem is straightforward but serious. Even when organizations deploy FIDO2-certified passkeys to eliminate phishing and credential theft, most accounts still maintain fallback authentication methods (passwords, SMS codes, or simple email recovery flows).

These legacy methods remain attached to accounts "just in case" users lose access to their passkeys, and that's exactly where attackers are focusing their efforts.

How attackers exploit recovery flows

According to the Forbes article, cybercriminals are increasingly targeting account recovery processes rather than attacking passkeys directly. An attacker can simply claim to have "lost" a passkey and exploit weaker recovery credentials to bypass the entire passwordless system.

The two-step verification trap

Google warns that "even when you normally use a passkey, it's important to secure your account with two-step verification" to prevent someone from impersonating you during recovery. But if that 2SV relies on SMS codes or weak authentication, the vulnerability persists.

What Microsoft and NIST recommend

Microsoft's guidance is clear: eliminate phishable credentials entirely.

For high-assurance recovery, they recommend what NIST 800-63-3 specifies: government-issued ID verification combined with biometric authentication.

The best recovery method, according to Microsoft, is using a passkey on a different device (or, as a backup, requiring users to provide ID verification and a face scan to prove their identity before resetting access).

This is the only way to ensure that account recovery flows maintain the same security posture as the passkey authentication itself.

The 1Kosmos difference: passkeys + strong identity assurance

While basic passkey implementations leave the recovery door open to attack, 1Kosmos combines FIDO2-certified passwordless authentication with identity-based recovery (exactly what Microsoft and NIST recommend).

Here's how 1Kosmos solves the recovery vulnerability:

1. Identity proofing at enrollment

Before users ever authenticate with a passkey, 1Kosmos verifies their identity using government-issued documents (driver's licenses, passports, national IDs), supporting thousands of document types across 190+ countries. This creates a verified digital identity that can be reused for recovery (not a weak password or SMS code).

2. Biometric-based recovery

If a user needs to recover account access, 1Kosmos uses biometric re-verification (LiveID) matched against the original identity document. No passwords, SMS codes, or phishable credentials. Just the user's verified face and government ID.

3. No weak fallback methods

Unlike implementations that still rely on passwords or SMS for "just in case" scenarios, 1Kosmos eliminates these attack surfaces entirely. Recovery flows use the same high-assurance identity verification that NIST and Microsoft recommend (biometrics + document verification).

4. NIST 800-63-3 and FedRAMP High certified

1Kosmos is certified to NIST 800-63-3 standards for identity proofing and authentication and FedRAMP High certified, meeting the most stringent government security requirements. The platform is also authorized for DoD IL4 as of 2026.

5. Reusable identity across use cases

Once a user's identity is verified, it can be reused across multiple scenarios (account onboarding & new hire verification, authentication, password reset, help desk verification, and account recovery) all without introducing weak credentials back into the system.

Real-world results

Organizations have deployed 1Kosmos to solve exactly this problem:

• A major office supply retailer uses 1Kosmos identity verification for help desk password resets, preventing social engineering attacks by requiring biometric and document verification before resetting credentials.

• A leading home improvement retailer leverages 1Kosmos IDV to prevent fraud at checkout and during account recovery, achieving significant fraud reduction.

These deployments show that when passkeys are combined with strong identity assurance, organizations can eliminate the recovery flow vulnerability entirely.

The bottom line

Google and Microsoft are right to warn that passkeys alone aren't a complete solution. The recovery flow is the new attack surface (and it requires the same level of security as the passkey itself).

1Kosmos delivers that complete solution: FIDO2-certified passkeys backed by government ID verification and biometric authentication for recovery. No weak fallback credentials or phishable recovery flows. Just strong, identity-based security from enrollment through authentication and recovery.

If your organization is deploying passkeys, make sure you're not leaving the back door open. The strongest passkey in the world won't help if an attacker can bypass it through a weak recovery process.

Learn more about how 1Kosmos combines passwordless authentication with identity assurance, or get in touch to see how it works.