Passkeys are supposed to replace passwords and stop phishing attacks. But Google and Microsoft warn that passkeys alone are not enough if weaker recovery methods remain attached to accounts. “Each account is only as secure as its weakest credential,” Microsoft says, warning that passwords and SMS recovery options can become a new attack surface even after passkeys are deployed.

“Passkeys are an easier and safer way to access online accounts compared to passwords,” Google says, “and even traditional multi-factor methods.” But passkeys are not 100% safe on their own. In a new warning to its account holders, Google says “even when you normally use a passkey, it’s important to secure your account with two-step verification (2SV)." You need this in case “someone tries to impersonate you and claims to have lost your passkey."

If there is an automated recovery process that exploits weaker credentials to bypass a passkey, then that passkey is not 100% safe — it really is that simple. Attackers can target recovery flows and fallback credentials instead of passkeys.

This is an interesting twist — because much of the rhetoric is that a passkey alone is enough. But Microsoft flags account recovery as a new attack surface, as the surge in passkey use shuts down traditional attack methods.

“Deploying passkeys improves sign-in," Microsoft says. "But most accounts still have a password or SMS method attached 'just in case’ — and as long as those credentials exist, they’re an attack surface.”

The best recovery method is to use your account passkey on a different device to complete a recovery step. As a back-up, Microsoft says a process that pushes users to provide ID and a face scan is best. “As NIST recommends, high-assurance recovery requires government-issued ID and biometric verification.”

Microsoft’s advice is aimed at enterprise users — Google’s primarily at home users. That’s a major difference, but it doesn’t remove the threat. Gmail and other Google accounts are high-value to cyber attackers, and remain under attack.

Google tells users to add 2SV to “prevent hackers from accessing your account with an additional layer of security." But given an attacker can use Google’s account recovery process, pretending to be you and claiming a passkey has been lost, the form of 2SV becomes more critical than ever. There are two types you should use. Google Prompts and an Authenticator (which can be an app on your phone).

You should stop using SMS one-time codes . These are the weaker, traditional forms of MFA that Google and Microsoft dismiss in their passkey promotions. Authenticator apps are now easy to set up and use, and should replace SMS codes on all your key accounts. You then need to disable SMS codes completely.

Passkey adoption is surging. But as Microsoft warns, these protections are only effective if users “eliminate phishable credentials entirely.” Google’s warning that passkeys alone are not a 100% solution is timely — especially as attackers shift toward recovery flows and fallback authentication methods.