What If There’s a Passkey on My Lost Phone?

No problem.

Losing a device with a passkey isn't a disaster at all. I'll describe why that is.
Setting up or using a passkey.
(Image: DALL-E 3)
Question: Regarding passkeys, I have two concerns 1. Suppose I lose my device with the only private key I have, how will I be able to restore my account on a new device? 2. When creating a passkey for an existing account, the old password could still be stolen from the server.

These are common questions as we all get our heads around what passkeys are and how they work.

Fortunately, both of your questions have fairly simple answers. More importantly, they’re secure answers.

TL;DR:

Losing your passkey?

Losing a device with a passkey isn’t a disaster. Each device has its own passkey. If you lose your phone, set up a new passkey on its replacement and disable the old one remotely. Two-factor authorization helps secure your phone if you’re still using a password, but transitioning to passwordless is safer because there’s nothing to steal.

Passkeys

Passkeys use cryptography instead of passwords to authenticate your identity and allow you access to an account. Passkeys are more convenient and secure than traditional passwords. There’s nothing for you to remember and no password or other credentials for a hacker to steal.

I dive into passkeys in a little more detail in What Is a Passkey? If you’re not familiar with the concept, that might be a good place to start.

Initial setup

Before we talk about your lost phone, let’s talk about how you set up the passkey in the first place.

The first time you sign in to an account that supports a passkey, you have to use some other form of authentication. Usually, that form of authentication is less convenient; it’s usually a code or link sent to you by email or text. Yes, it can even be your existing password, but I’ll talk about that more in a moment.

Once you’ve signed in successfully, you are asked if you want to set up a passkey for that device. Say yes, and you’ll never have to do anything more than unlock your phone or repeat the unlock sequence the next time you want to sign in. Your phone and your passkey are protected by your PIN, your fingerprint, or your face, depending on how you set up that device.

Important: Every device gets its own passkey. This means that by default, the passkey you set up for your phone won’t work on any other device1. It’s only for that phone. If you want to sign in to a new device — say your desktop machine — you need to repeat the sequence above once, after which you can set up a passkey for that device.

“You” don’t have “a” single passkey. Every account you sign into has its own passkey, and every device has its own passkey for each account after you’ve set it up.

Losing your phone

Losing your phone has no effect on other devices. If you get a new phone, you repeat the initial setup sequence as above. If you set up passkeys on other devices, they continue to work on those other devices.

Remember that your phone is protected by your PIN, fingerprint, or face. To use any passkeys stored on the device, a thief would have to be able to provide or bypass those. Most hackers can’t or won’t be bothered.

However, there is a nifty feature of passkeys that I think is commonly overlooked.

Remember, each device has its own passkey for each account. If you lose the device, you can sign in to the account on another device and then disable the passkey for the device you lost. It’s the equivalent of saying, “You know that passkey I set up on my old phone? Disable it.”

That way, even if the thief somehow got past your phone unlock sequence (PIN, fingerprint, or face), the passkey(s) you’ve disabled remotely no longer work. (Your device doesn’t have to be stolen, by the way. You can disable a passkey on any specific device for any reason at any time.)

Speaking of disabling remotely, if you’ve truly lost your device, disabling the passkeys is good, but I’d consider a remote reset, wipe, or brick2 option.

Passkey creation

When you set up a passkey the first time, you sign in some other way. As I described above, that way is usually less convenient and time-consuming, but you only have to do it once.

And, yes, if your account has a password, then it might be a traditional password-based login. Of course, if you’re also protected by two-factor authentication, just knowing the password won’t be enough, but the questioner’s point is well taken. Simply adding passkeys to your account makes it more convenient for you but doesn’t address all concerns. Like that password.

So get rid of the passwords.

Now there’s nothing for hackers to steal.

My Microsoft account, for example, has no password. The first time I sign in on a new device, I’m prompted to confirm on the already-authorized Microsoft Authenticator app on my phone. After that, the passkey is set up, and signing in is, once again, just a matter of my fingerprint or PIN on that device.

These days, accounts currently continue to have passwords, I expect we’ll slowly start to see passwordless as an option more and more, and new services may well enroll users without ever using a password at all.

Do this

There’s no rush. It’ll take some time before passkeys reach critical mass. But now is a great time to learn what they are and how they keep you safer.

I’m sure I’ll be talking about them more in the future. Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Play

Footnotes & References

1: Password vaults that save passkeys are an exception to this. If you save a passkey to your vault, it can be used anywhere. It is, of course, protected by your vault’s authentication.

2: Reset: restore to factory settings. Wipe: erase everything on the device. Brick: disable the device so it can never be used again.

9 comments on “What If There’s a Passkey on My Lost Phone?”

  1. It’s cool that you can disable the passkey for a specific device, but how do you know what passkeys are on the device? Do you need to access accounts one by one to see if there is a passcode that should be disabled?

    Reply
  2. All good and well, but lets say you are going passwordless, and then lose the ONLY device (phone as an example) that has your passkey? You no longer has a password – possibly not even in combo with 2FA – to get in to said account.

    Understand this is likely different from service to service, but something that at least needs to be addressed/explained [better].

    That said, Happy Fourth!

    Reply
    • You normally set up recovery information such as alternate email addresses and/or phone numbers when you set up an account.
      Go to the account recovery page for that account and follow the instructions.

      Reply
  3. Hi So, if you upgrade your phone to a newer one. You’d then have to create all new passkeys on all the websites/apps again. Then you’d have to go into each account and remove the previous device from their list? That’s a lotta work. I think I’ll stay with a password manager until things are more ironed out.

    Reply
      • Incorrect. Passkeys are unique for each device. (Each device/account pair, for that matter.) So if you get a new device, then yes, you’ll setup passkeys again on that new device.

        EXCEPT: if your password manager supports passkeys. Then it’ll be as if nothing happened. The passkeys in the vault are device independent. 1Password does this and I love it.

        Reply
  4. Currently using Roboform to manage and create my passwords. One of the motivators, for me, to use a password manager is that I can give my wife the credentials to get into Roboform and that will allows her access to all of my on-line accounts in the event of my death.
    How will this work in a passwordless environment?

    Reply
  5. Make sure your wife knows how to login in on all of your devices (with your PIN or/and her fingerprint/face). Also, you can setup passkey login to your cloud backup account, Email account and any other important accounts on all of her devices.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.