SINGAPORE (Mar 2026) — For years, the tech world has hailed “passwordless” authentication as the silver bullet that would finally end account takeovers. By replacing clunky passwords with cryptographic keys tied to your physical devices, the promise was simple: if a hacker doesn’t have your phone, they can’t have your data. However, new research into how Google has built its passkey ecosystem suggests that this “clean” security image is actually a bit messy.
While FIDO-based passkeys are incredibly tough against traditional phishing, the way they are being implemented might be opening new doors for attackers. Shane Barney, Chief Information Security Officer at Keeper Security, warns that passwordless authentication is only as strong as the recovery systems holding it up.
The cloud-sync dilemma
The main issue lies in how Google manages your credentials. To make things easy for users, Google uses a cloud-based system to sync passkeys across different devices through the Google Password Manager. This is what allows you to sign in on a new tablet or recover your account if you lose your phone.
However, this convenience creates a “single point of failure.” If a hacker manages to compromise a user’s primary Google account or the underlying cloud infrastructure, the “device-bound” security of the passkey suddenly becomes vulnerable. In short, the “surrounding ecosystem”—the cloud services and recovery workflows—is becoming the new target for cybercriminals.
Living in a hybrid world
Despite the push for a passwordless future, most Filipinos aren’t there yet. Research from Keeper Security shows that about 40% of organizations still operate in a “hybrid” environment where passwords and passkeys live side-by-side. Because of this, phishing remains a massive threat, cited by 67% of businesses as a persistent headache.
“Authentication is not a single control, but part of a layered security model,” Barney explains. He notes that while passkeys are a huge step forward, they aren’t a standalone solution.
How to stay protected
For Pinoy users and businesses, the shift to passkeys should be handled with caution. Experts recommend a “Zero-Knowledge” framework where sensitive data is encrypted before it even hits the cloud.
For larger organizations, using Privileged Access Management (PAM) is becoming essential. This adds an extra layer of oversight, ensuring that even if one set of credentials is leaked, the most sensitive parts of the system remain locked down. Passkeys are definitely the future, but for now, you shouldn’t throw away your security best practices just yet.
