Blog Post
I’ve started using passkeys and, to be honest, the current experience is pretty disappointing.
The passkey login itself works well, but I’m still being asked to enter a 6-digit email verification code at least once every 24 hours, and often multiple times per day. What makes this particularly frustrating is that this is happening on the exact same device, on the same PC, using the same browser, on the same network with a static IP. Nothing is changing, yet I’m being repeatedly challenged as if I’m logging in from a new or unknown environment every time.
I understand that MFA is mandatory due to ATO requirements, and that there are limits around how long a device can be trusted (for example the 24-hour restriction). That makes sense from a security perspective. However, what I’m experiencing seems to go beyond that.
Being prompted multiple times per day on the same device doesn’t feel like a compliance requirement, it feels like overly aggressive session handling or a lack of proper device trust. At the moment, there’s no observable benefit to using passkeys, as they haven’t reduced any of the friction in the login process.
The whole point of passkeys is that they provide a strong, phishing-resistant, multi-factor authentication method on their own. If they’re going to sit alongside existing 2FA requirements, then I would expect them to at least reduce how often additional verification is required, particularly on recognised devices.
Right now, it feels like I’ve adopted a newer, more secure authentication method, but I’m still being treated as an untrusted user every time I log in, even from a completely unchanged environment. That’s where the frustration comes from.
It would be really helpful to understand what specifically is triggering these repeated verification prompts, why the same device and environment isn’t being trusted within the expected window, and whether there are plans to improve this so passkeys actually reduce friction rather than just adding another layer on top.
At the moment, passkeys feel like an additional step rather than an improvement.
Hey Lavinia9
Thanks for taking the time to share your feedback. It doesn't sound like its an issue with passkeys itself but definitely something we will need to troubleshoot further for a fix. I've reached out to you in a private message here, when you get the chance can you please confirm your file details and I'll organise for someone in the customer team to reach out!