|I’m sick of passwords. They’re somehow both easily guessable and hard to remember, and keeping them out of criminals' hands is tough. In recent years, the Fast Identity Online (FIDO) Alliance developed passwordless authentication technology standards. Last year, Apple announced the availability of a new security feature called a passkey for iOS 16 users. Meanwhile, Google is developing a passwordless authentication solution for Android.|
It's time for more apps and websites to protect customers by adopting passwordless technology such as passkeys. Passkeys cannot be guessed or shared between users. They are resistant to phishing attempts because they're all unique to the sites they're created for, so they won't work on fraudulent lookalike sites. Most importantly, in the age of near-constant data breaches, your private keys cannot be stolen by hacking into a company's server or database.
We all want to be safer online. Read on to learn why you should try passwordless authentication as soon as possible.
Why Do You Need Passwordless Authentication?
The widespread adoption of passwordless authentication couldn't come at a more critical time. Researchers at Digital Shadows recently reported that, as of 2022, more than 24 billion login credentials had been exposed by data breaches. That number is up 65% since 2020, and researchers believe malware attacks, social engineering scams, and password sharing are to blame for the increase.
The report concludes that widespread passwordless authentication adoption is necessary to keep criminals from taking over accounts using stolen username and password combinations. Until passwordless authentication is accepted everywhere online, account takeovers and identity theft incidents resulting from data breaches can be mitigated with multi-factor authentication and using a password manager to create and store new credentials for every login.
What Is a Passkey?
A passkey is a passwordless way to log in to apps and websites. A passkey is another name for a pair of cryptography keys generated by your authenticated device. A public key and a private key combine to create a passkey.
Your target app or website stores your public key when you log in. The private key is only stored on your device, and after your device authenticates your identity, the two keys combine to grant you access to your account. PCMag’s Lance Whitney wrote a guide for setting up and using passkeys.
The device or software generating the passkeys usually uses a biometric authentication tool, such as FaceID or TouchID, to authenticate your identity. If a password manager is the passkey source, you can log in to the app using a strong master password instead of biometric authentication. Passkeys are unique to each app or website and stored in a password manager's vault or your device's keychain. Passkeys can sync across devices, making them a convenient choice.
Where Can You Use Passwordless Authentication?
Using passkeys, you can log into a few sites, including Best Buy, eBay, Google, Kayak, and PayPal. Several password managers, including Editors' Choice winners Bitwarden and Dashlane, offer their customers passwordless access to web vaults via biometric authentication. Other password management companies, such as NordPass, announced recently that they are developing ways to store passkeys in customer vaults.
Swift passkey adoption by major apps and websites is encouraging, but it may take time for widespread passwordless adoption. Many smaller sites don't even offer support for multi-factor authentication yet, so we may have to wait a while for the newest FIDO security standards to kill the password effectively.
In the meantime, use passkeys where you can, and ensure you have multi-factor authentication enabled on any accounts supporting it. You should also keep using a password manager to create and store your credentials until you don't need them anymore.
Get this email from a friend? Get it delivered to your inbox weekly. Sign up for the SecurityWatch newsletter.
What Else Is Happening in the Security World This Week?
Almost All Coinbase Users Rely on SMS-Based 2FA, Account Takeover Stats Reveal. Coinbase requires all accounts to be secured via two-factor authentication; by default, those codes come in via SMS. That method, however, is vulnerable to SIM-swapping attacks.
PayPal: 35,000 Users Had Social Security, Tax Info Exposed to Hackers. The hackers accessed the information by successfully guessing the passwords of the affected users through a "credential stuffing" attack.
Hacker Found FBI No Fly List on Unsecured Server. The hacker found the data, which allegedly contained hundreds of thousands of names and birth dates after regional airline CommuteAir left it on an open server.
Good News, Bad News for Security Researchers: Feds Are Less Likely to Charge You, States Are Another Thing. At the ShmooCon hacker conference, infosec attorney Harley Geiger warns that some state laws continue to threaten legitimate research—as does a recent Chinese regulation.
In the 'Permacrisis' Era, People Are Getting Lazy With Workplace Security. Forty-five percent of those who claim they’re experiencing "permacrisis" distraction say they don’t bother with all of their workplace security rules, a survey from 1Password finds.
Post a Comment
Please leave a comment about our recent post.