Recent research suggests passwordless authentication linked to cloud synchronization and hybrid identity environments could expand attack surfaces across devices.

Recent research by a global cybersecurity firm has surfaced concerns that Google’s passkey system — intended to replace traditional passwords with cryptographic credentials — may introduce new vulnerabilities tied to its cloud-based synchronization model.

Passkeys, built on the FIDO2 standard, are designed to protect users from phishing by linking credentials to a specific device rather than to a stored password. However, researchers say Google’s implementation adds complexity by including a cloud component that manages synchronized passkeys across multiple devices via the Google Password Manager.

This architecture enables conveniences such as cross-device login, account recovery, and device onboarding, but researchers are cautioning that these same features expand the potential attack surface:

  • If an attacker compromises the underlying cloud infrastructure or gains access to a user’s synced account, they could exploit recovery or enrollment workflows to gain unauthorized access.
  • While FIDO-based passkeys remain substantially more resistant to phishing and replay attacks than legacy passwords, no passwordless system is immune to exploitation. The security of such

In many corporate environments, passwordless authentication still coexists with conventional credentials, creating what researchers describe as “hybrid identity ecosystems.”

According to research by Keeper Security, roughly four in 10 organizations in their user base operate in such environments, while two-thirds of respondents continuing to name phishing as a primary security concern despite increased adoption of passwordless tools.

The firm’s researchers argue that this reality underscores the need for a layered defense model. Security teams are advised to enforce least-privilege access, ensure rigorous device verification, and harden recovery mechanisms. According to their Chief Information Security Officer, Shane Barney: “Passwordless authentication represents a meaningful step forward, but the surrounding ecosystem, with its cloud services, device trust models and recovery mechanisms, is where attackers will continue to focus,” and passkeys should treated as just one component of a broader identity security strategy, rather than a standalone solution.