Why does losing my phone mean choosing between lockout and SMS fallback?
κΈ°ν
Passkeys eliminate passwords but introduce a fragility the FIDO2 spec does not solve: account recovery. If you lose your only enrolled device and have not pre-configured vendor-specific sync, you are locked out or forced back to SMS OTP, which re-opens the SIM-swap attacks passkeys were supposed to close. Apple, Google, and Microsoft each built incompatible sync silos, so moving from iOS to Android means re-enrolling at every service by hand. The WebAuthn spec defines how to create and use credentials but explicitly defers recovery to each platform. No vendor-neutral, cryptographically sound recovery primitive exists that preserves the original threat model.
μ μ€μνκ°
Recovery is the weakest link in the passwordless stack, and solving it is the last mile that makes passkeys a viable replacement for passwords at scale.
κΈ°ν νκ° λ°©μ
κΈ°ν μ μλ μΈ‘μ κ°μ΄ μλ μ μ£Όκ΄μ νκ°μ λλ€. μΌλ§λ λΆνΈνμ§, μΌλ§λ μμ£Ό λ°μνλμ§, νμ¬ ν΄κ²°μ± μ΄ μΌλ§λ λΆμ‘±νμ§λ₯Ό λ°μν©λλ€. μ μκ° λμμλ‘ λ§λ€ κ°μΉκ° λ λλ€κ³ μκ°ν©λλ€.
λ°μνμ λ μΌλ§λ ν° λΆνΈμ μ΄λνλμ§.
μ€μ λ‘ μΌλ§λ μμ£Ό μ νκ² λλμ§.
νμ¬ μ΄λ₯Ό ν΄κ²°ν λ§ν λκ΅¬κ° μΌλ§λ λΆμ‘±νμ§.
ν΄κ²°ν κ°μΉ μλ λ λ§μ λ¬Έμ λ€
μ°λ¦¬κ° κ°μ₯ λ§μ΄ μμ‘΄νλ μννΈμ¨μ΄κ° μ κ°μ₯ μ¬μ©νκΈ° λΆνΈν κΉ?
Techλ΄κ° μμ±ν λ°μ΄ν°λ₯Ό μ λλ μ ν μμ νμ§ λͺ»ν κΉμ?
Techλ΄ λ°μ΄ν°κ° μ€μ λ‘ μμ λμμμ μ¦λͺ νλ μμμ¦μ μ λ°μ μ μλκ°?
Techμ€ν μ€μΈ κ²μ΄ SBOMμ μ μΈλ λ΄μ©κ³Ό μΌμΉνλμ§ μ μ μλ μ΄μ λ 무μμΈκ°?
TechC2PA μΆμ² 체μΈμ μ μ½ν μΈ κ° μμ λ―Έλμ΄μ μ¬λΌκ°λ μκ° λμ΄μ§λκ°?
TechWhy can a regulator only catch a deceptive consent screen by reading it manually?