Lost Passkey #

lostpasskey

We lose keys and we find keys and we get new keys. We just have to find the ones that unlock the right doors. – Dan Groat

How does a developer handle a lost Passkey, and what does that actually mean? Since a Passkey is stored on a client device’s keychain, losing a Passkey typically means losing the device. This happens more often than you might think — mobile phones can be stolen or simply misplaced. If the user doesn’t have a backup device, like a tablet or desktop computer that shares the same keychain, access to their accounts could be suspended if the mobile phone is lost.

So, how can this be mitigated? If an iPhone or Android phone is lost, the keychain containing the Passkeys can usually be restored when the user purchases a replacement phone. In this case, access to accounts is only suspended until the new phone is set up and the keychain is restored.

Another strategy recommended by the Passkey consortium is to add a Passkey to a secondary device, even if it has a different keychain ID, as a backup. For example, an iPhone user could set up a second iPhone with a different ID for backup. Alternatively, the same user could use an Android device as a backup. This isn’t a concern if the iPhone user has an iPad or Mac that shares the same keychain and iCloud ID as their phone, since all devices on the same keychain will share the same Passkeys.

Lastly, there’s the scenario where a user might delete their Passkey from the keychain via the Settings menu, outside of the app itself. While this isn’t common, it can happen — chalk it up to user error. It’s important to remember that the AppKey Server only manages the public key part of a Passkey; the private key is controlled by the device’s keychain. Additionally, an application cannot programmatically delete Passkeys from a device’s keychain — this must be done explicitly by the user, as it should be. That said, some users might accidentally delete a Passkey and lock themselves out of an app, so there needs to be a way to handle this edge case.

The process to restore a Passkey should be similar to setting up the original Passkey. The user would need to follow the same steps they did during account creation. However, this should not be the default recovery method. If a user’s email or phone handle is compromised, a malicious actor could use it to set up a Passkey for more sensitive accounts. In fact, with email/password systems, account recovery is often the biggest security vulnerability. Distinguishing between a legitimate user in distress and a malicious party trying to gain access is challenging, if not impossible, to do purely through algorithms. This is why AppKey relies on the developer to explicitly allow a user to restore their passkey should it be lost.

For Passkey restoration, after contacting the application provider, the user with the lost key should receive a restoration confirmation code. This ensures that the application provider has approved the restoration, rather than it being an automated process by the AppKey Server. Once the confirmation code is issued — possibly with a time limit — the user can proceed with restoring their Passkey. During this process, ownership of the user handle (email or phone) would be re-verified through a second confirmation code.

In conclusion, the best strategy for Passkey recovery is to encourage users to set up backup Passkey devices in case their primary device (like a mobile phone) is lost or stolen. This backup device could be a tablet or desktop computer on the same keychain. As a rule, algorithmic Passkey recovery should not be a feature. If it is offered, it should be paired with a strong form of human validation that accompanies a software restoration process.