In our increasingly digital world, safeguarding your personal information is paramount. One of the newest ways to protect online accounts is through using passkeys.
Passkeys are like digital fingerprints or credentials presented to websites that support them, effectively replacing old traditional passwords and login methods.
Let’s explore the importance of passkeys, what they can do to protect your accounts and how they may just be the future of authentication.
Passkeys are like a digital lock that requires a digital key (sounds like a password, right?), but the catch is that this digital key lives on your device. This means there is no password to remember, thus there is no opportunity for a password to become compromised and used by an attacker.
Along with passwords, since the device holds the key, the need for multi-factor authentication (MFA) could also go away.
Let’s say you set up a passkey on your Google account, and you accidentally clicked on a phishing link. It takes you to a fake Google login page asking for your password. Since you can’t provide a password, as the key is stored on your phone, there is nothing for you to enter—shutting down the attempted attack.
But what if your mobile device is lost or stolen? Currently, when passkeys are presented, it means the authentication method is “something you have” (a device). But for an extra layer of security, you can add a fingerprint or facial recognition option to validate the “something you are” method. This would prevent an attacker from picking up your device and having access to everything in your digital world.
I should note, passwords aren’t going away for now, but in the future, passwords could effectively go the way of the dodo.
Who Supports Them?
At the writing of this blog post, passkeys are a very recent technology and I’m sure they will evolve to become more secure in time. Presently, the use of passkeys is limited; Google, Apple and Microsoft currently have and support passkeys, but going forward, we expect to see wide adoption to include banks, shopping sites, major email providers and more.
With Google and Apple supporting passkeys, you can save your passkey in your iCloud Keychain or Google Authentication applications. Currently, the only third-party authentication providers that offer support for securely storing your passkey are Dashlane, Duo and 1Password.
Because Google, Apple and Microsoft have their own respective browsers (Safari, Edge, and Chrome), if you did lose your mobile device, those passwords are synchronized across those platforms, so you still have them. Since this technology is still in its infancy, only newer Android and IOS devices can support passkeys. It’s been reported that Facebook, Dropbox, Best Buy and Kayak will have support for passkeys in the near future, and other sites are sure to follow.
A Brief History Lesson on Passwords
According to Fast Identity Online (FIDO), 80% of compromises came from leaked or stolen passwords. 51% of individuals share passwords with colleagues to access business accounts and services. On average, the typical person reuses the same password 15 times, and 23.2 million user accounts were hacked because they used the password “123456”.
59% of organizations do not require a password manager to keep and store passwords. 37% of Americans have enabled multi-factor as of 2020.
Because passkeys are on a device synchronized to the provider’s cloud and encrypted, there is not a whole lot to see or share. But in the case where you need to share logins, some companies, like Apple, are developing support to add a second passkey for another user to access your delegated account.
Website and Server Breaches
You may be thinking, what if a site where I use a passkey is breached? Because these keys are generated using asymmetric key cryptography, a breach would not expose any personal information that someone could use to impersonate you. Even if the key was extracted from the breached cloud device, it would still need the device itself and, if configured, your biometrics.
How Easy Is Setup?
Each company is going to be a little different, but I’ll tell you how my personal experience with Google went (since I use an Android device).
On my phone, which was signed in with my personal Gmail account, I went to my profile, hit security, tapped on “Passkey” and it asked me for my biometric confirmation. Then, it was on. That’s it!
Anytime I need to access something via my Google account, it will now use my passkey. Now that a linked device is set up, adding new sites and services to my Google passkey will be as easy as a tap.
Passkeys are the new digital “keys” to our personal information and online identities. By understanding the importance of passkeys, adopting their creation and employing effective management strategies, we all can significantly enhance our online security. Stay secure, stay vigilant and keep those passkeys rolling!
Our Technology Solutions Group includes a team of cyber security experts. We’re happy to meet with you for a cyber security risk assessment of your organization’s IT infrastructure. Or, you can contact us online or call 410.685.5512 with any questions.