It seems like every time I go to enter my password these days, I get a prompt asking me if I want to switch to a Passkey. It’s simple, they say. So much better, they say. Being the suspicious sort, my gut reaction is always, “nice try big brother, but nope.” But am I just being a Dodo, sticking my head in the sand? Are passkeys really so much better, stronger, safer?
As PCMag reports, the answer is a resounding, YES. Apparently, in the not so distant future, passkeys have a real chance to replace passwords entirely with something more secure, tied to your specific devices. With time, this may make the traditional email address-and-password combination obsolete.
What Is a Passkey?
When a public key and a private key combine, they create a passkey that can unlock your account. Here’s how it works: Apps or websites store your unique public key. Your private key is stored on your device, in your password manager, or, if you’re an Apple user, in your iCloud keychain. After your device (or iCloud) authenticates your identity, the two keys combine to grant you access to your account.
The Fast Identity Online (FIDO) Alliance developed passkeys several years ago, and many companies are already implementing them. For example, Microsoft removed password support from its authenticator app in August but left passkey support in place, and Amazon regularly prompts users to create a passkey if they haven’t already.
The Numerous Benefits of Passkeys
Passkeys offer numerous benefits. For example, they cannot be guessed or shared. Also, passkeys resist some phishing attempts because they’re unique to the sites they’re created for, so they won’t work on fraudulent lookalikes. Most importantly, in the age of near-constant data breaches, your passkeys cannot be stolen by hacking into a company’s server or database, making the stolen data far less valuable to criminals.
Are Passkeys Really More Secure Than Passwords?
Allowing users to login using a passkey isn’t the only update website owners need to ensure website security. Cybersecurity expert Trevor Hilligoss, security researcher and vice president of SpyCloud Labs at SpyCloud, tells PCMag that widespread passkey adoption is “fantastic,” but website owners must also fix other security holes, because criminals can easily get around a passkey by stealing users’ validated browser cookies using malware.
“You can use a passkey, you can use a password manager, you can use ‘yourdog’sname2023,’ whatever. It doesn’t really matter because authentication has already happened by using that cookie,” Hilligoss says. “Criminals are emulating an already authenticated session. So from the perspective of the website, it just sees that it’s a valid cookie.”
Beware of Cookie Hijacking
Hilligoss says that once a website, like your email service, validates the cookie, the criminal doesn’t need to log in using your credentials or authenticate their identity. The validated cookie, which lasts on a person’s browser until it expires over a period of seconds or years, allows criminals to enter your accounts undetected and steal your data or money.
The onus is on website owners to find a solution for cookie hijacking. Hilligoss tells me that the rest of us can protect ourselves from the cookie hijacking threat by using passkeys or strong and unique passwords wherever we can. He adds that some websites allow users to choose when their session tokens expire.
You know the data privacy pop-up screens? Don’t immediately tap “Accept.” Instead, navigate to the “Cookies” or “User Data” sections and choose the shortest available session duration. That way, your cookies will expire automatically or whenever you close your browser window.
—
Photo Credit: Linaimages / Shutterstock.com