February 27, 2026
Passkey Panic: Please Remember Forever?
Please, please, please stop using passkeys for encrypting user data
Internet freaks out: one tap could erase your photos, docs, even crypto
TLDR: A security expert warns that tying encryption to passkeys means deleting one could lock you out of backups forever. Commenters clash: some say this risk exists with any encryption, others find passkeys confusing, and many demand clearer warnings and solid recovery plans to protect memories and money.
A security pro posted a plea: stop using passkeys to lock up your most precious stuff. Passkeys are those password replacements that let you sign in with your device. The drama? Some apps are using a PRF (a “pseudo-random function,” basically a secret key generator) from passkeys to encrypt backups, files, and even crypto wallets. If you delete that passkey later, you could lose access to everything. Cue the community meltdown. One camp fired back with “passwords can do this too!”—halapro argues the warning screens look the same and asks if we’re banning generated passwords now. Another camp is spooked: “this is why I haven’t started using passkeys,” said SoftTalker, who found the whole setup confusing, plus threw in a spicy pronoun nitpick for extra Reddit energy. Then the cynics arrived: dchest shrugged, saying this reads like “don’t encrypt,” because people will always lose keys and email support asking to reset the unresettable. Meanwhile, a builder vibe popped up as dansjots shared a minimalist tool that lets you encrypt individual files with passkeys on purpose, with a link. The practical take: wmf says you need a recovery plan that plays nice with encryption. The meme of the day? PRF = Please Remember Forever, or goodbye, memories.
Key Points
- •The article warns against using passkeys with the WebAuthn PRF extension to encrypt user data due to high risk of irreversible data loss if the passkey is deleted.
- •Common promoted uses include encrypted backups, end-to-end encryption, file encryption, crypto wallets, credential manager unlocking, and local account sign-in.
- •A user scenario illustrates how deleting a passkey later prevents restoring encrypted backups, because the encryption key derived via PRF is lost.
- •PRF has legitimate, safer uses for unlocking credential managers, which typically provide robust recovery mechanisms.
- •Calls to action: stop promoting passkeys for encrypting user data; add deletion warnings in credential managers; and provide clear documentation and upfront warnings if PRF is used beyond authentication.