Death of the password?
3rd September 2024
In my last article, I discussed the importance of using strong passphrases and securing your accounts with Multi-Factor Authentication (MFA). These measures are vital today due to the major weaknesses of passwords, an outdated concept.
Passwords have been in use for thousands of years, with the first computer password introduced in 1961. Many attempts have been made to replace passwords, but they’ve never caught on.
Enter the Passkey. The technology behind passkeys began with the FIDO standard in 2014. FIDO keys are USB devices used for MFA, requiring something you know (a password) and something you have (the FIDO key). These were great for MFA but didn't replace passwords and weren’t as popular as smartphone apps. FIDO2, released in 2018, expanded FIDO's capabilities.
It can now be used on a PC or smartphone without specific hardware like a USB key and can authenticate logins on other devices. In 2021, the term Passkey was introduced to encompass FIDO2 and related technologies, making it easier to understand.
How does it work?
Many online services now support passkeys, which can be created in the account settings. Passkeys are supported on both Android and iOS, and third-party providers allow access across devices. If your device supports passkeys, you can save it and move on, or in some cases, you will be asked to scan a QR code with your phone.
Next time you log in, select the passkey option. Your phone will ask for a fingerprint, facial scan, or PIN. Once verified, you’re in. No password to remember, no codes to type in – it’s easier and more secure. Passkeys are multi-factor by default: the device is something you have, your fingerprint or facial scan is something you are, and your PIN is something you know. Unlike traditional MFA, passkeys are phishing-resistant.
Phishing is when a hacker tries to trick you into giving away sensitive information. Many people believe MFA is phishing-resistant, and while it makes the hacker's job harder, it is still possible. For instance, a hacker might call pretending to be ‘support’ from a website you use and ask you to press ‘accept’ on a security message on your phone. This isn’t possible with passkeys because they require proximity to the device you are logging into. A remote hacker cannot authenticate without being near the device with the passkey.
Another advantage of passkeys is that nothing is stored on a website for a hacker to steal. We regularly hear about data breaches and passwords being sold on the dark web. With a passkey, each account has a unique key. The sensitive “private key” is stored on your device, while the website holds the “public key” that matches it but is useless on its own.
There are downsides to passkeys, mainly due to their newness. Google, Apple, and Microsoft all support passkeys, but they don’t yet work seamlessly together. Many third-party identity providers don’t fully support them or are still in beta testing. Not all websites support passkeys yet, and those that do often require a password to create an account first.
It’s early days, but passkeys are likely to become the norm soon. Until then, Connexis can help protect your accounts with strong passwords and MFA. Call 01952 528000 or email Sales@Connexis.co.uk
Back To News & Blog