Skip to content
Tech

Why does losing my phone mean choosing between lockout and SMS fallback?

81

Opportunity

Passkeys eliminate passwords but introduce a fragility the FIDO2 spec does not solve: account recovery. If you lose your only enrolled device and have not pre-configured vendor-specific sync, you are locked out or forced back to SMS OTP, which re-opens the SIM-swap attacks passkeys were supposed to close. Apple, Google, and Microsoft each built incompatible sync silos, so moving from iOS to Android means re-enrolling at every service by hand. The WebAuthn spec defines how to create and use credentials but explicitly defers recovery to each platform. No vendor-neutral, cryptographically sound recovery primitive exists that preserves the original threat model.

Why it matters

Recovery is the weakest link in the passwordless stack, and solving it is the last mile that makes passkeys a viable replacement for passwords at scale.

How I score the opportunity

The Opportunity Score is my own read, not a measurement: how much it hurts, how often it bites, and how little exists to solve it today. Higher means I think it is more worth building.

Severity8/10

How much pain it causes when it shows up.

Frequency7/10

How often people actually run into it.

Whitespace8/10

How little good tooling exists for it today.

More problems worth solving