Busting the Passkey Myths

Passkeys are replacing mere passwords at a rapid pace, and that may be scary for some people. Passkeys are inherently more secure than passwords. For the most part, they are extremely difficult (we won’t say impossible) to crack, and that’s why you should get more comfortable with using them.

Tech leaders such as Microsoft, Google, and Apple are among those leading the passkey charge because there are nearly 7 million combinations of usernames and passwords on the dark web. When your passwords end up on the dark web, cybercriminals can use them to get into your accounts and steal your private data. That’s why passkey-based authentication is becoming a fast-growing trend. Their main benefits are that they can’t be stolen like passwords, and there’s nothing for you to remember.

Still, myths persist, and Dashlane, the password manager app that we prefer, has its own magnificent seven myths it wants to bust.

  1. If you lose your phone, you can’t access your passkeys. If you have a password manager, your passkeys should sync across all devices – unless you “cheaped out” on a freebie. If you only use a mobile device for your passkey, make sure you store it in your phone’s password app. That will enable you to move them to your new device.
  2. Only Google and Apple currently sync passkeys. Third-party passkey providers like Dashlane use their own cloud infrastructure for syncing, similar to Google and Apple. Microsoft has announced that synced passkeys will be coming to Windows 11 and associated with Microsoft accounts. Google recently indicated that synced passkeys in Google Password Manager will soon be available on both macOS and Windows.
  3. Passkeys send your biometric information over the internet. All verification methods operate solely on your device. No biometric information is sent to the website, only confirmation that verification was successful.
  4. You can change your password but not a passkey. Passkeys can be changed simply by deleting them from the website they’re set up with and re-enrolling a new one. This is because every new passkey is unique, even when multiple passkeys are set up for the same website.
  5. PIN codes are not as secure as passwords. Once a device PIN code is set up, it can only be used on a particular device. That’s a security feature not available with a password.
  6. Using a password manager for your passwords is better than using passkeys. While password managers help, they can’t completely prevent phishing. Passkeys, by contrast, are phishing-resistant by design. Additionally, almost all leading password managers now support passkeys for both secure password storage and the added protection of passkeys.
  7. Passkeys are a way for vendors to lock users into their platforms. The FIDO Alliance has published new standards that will allow password managers to safely and easily export passwords and passkeys.

The myths point to a certain intimidation factor about using passkeys. Our advice is don’t be intimidated. We can help you set up an authentication app, such as Microsoft Authenticator, and other methods, such as biometrics and PIN codes. Call us – 973-433-6676 – or email us to talk about what’s best for you and your organization.

Two-Factor Authentication

Two-factor authentication is another security layer for remote access to websites and networks. With more and more web-based applications requiring more complex passwords, needing to enter some other information may seem like a royal pain. But it provides the protection you need to enhance your data safety.

Two-factor authentication is just what it says. It’s a second password, a reference to a graphic symbol or an answer to a question. While nothing is 100% foolproof, it’s a step to help the system you’re using verify you are you. And for now, it offers protection against hackers when you bank or purchase goods online or use a VPN (virtual private network) to access your work computer or corporate systems and data files over the Internet.

Getting up and running with two-part authentication for business and personal applications is quick and easy.

Many businesses are using mobile phones as the second part of two-factor authentication. When a user accesses a VPN from a laptop or tablet, just to use one example, you enter the normal username and password. Once the network identifies the user, it sends a numeric code to a designated telephone number. For most of us, this is usually a mobile phone. You then have 60 seconds to enter  the numeric code from the computer or tablet you are using.

For personal Internet applications, such as Facebook, LinkedIn and Twitter, you can go to “settings” to strengthen your security.

In Facebook, for example, you can go to settings and click the Security folder on the top left of your screen. You’ll have nine settings you can adjust. Some of them are two-factor authentication steps. You can also deactivate your account. Going down the left side of the screen, you can edit your privacy preferences and even block or restrict email addresses and invitations for apps.

In LinkedIn, you can access your settings from your picture in the upper right corner and use the drop-down menu to change your privacy and other settings. Twitter’s settings allow you to require having a verification code sent to a telephone number when you sign in.

We can answer your questions about setting up security programs for your business or for you and your family. Leave a comment or send us an email with your questions and concerns – or give us a call at 973-433-6676.

This article was published in Technology Update, the monthly newsletter from Sterling Rose LLC.