Bring on the Passkeys

Passwords are porous, and so are some forms of two-factor authentication (2FA), such as those numeric codes sent to your phone or email to verify your identity. Known as one-time passwords (OTPs), they’re relatively safe, but hackers are getting better at breaching that defense. Passkeys are coming into their own as a stronger cybersecurity tool.

OTPs are typically provided in a text message, which is vulnerable to attacks in several ways. A hacker who intercepts the text to your phone might not get the password directly, but they could launch a smishing attack (it’s like an email phishing attack) and wait for you to make a mistake (responding to the text) to get into your account. More sophisticated hackers engage in SIM swapping or a more effective means of message interception to take over your phone and account. With those latter two forms of intrusion, it may take a while for you to discover the hack. Even if it’s less than an hour, it could be too late.

Risky as they are, OTPs by text are likely to remain in use for a while. Some companies are reluctant to change because they fear it will cost them customers who are not tech-savvy enough to adapt to more sophisticated verification tools. Most of you can reduce the risk somewhat by using a password manager. Reputable providers keep your master password secure – sometimes allowing you to bypass using it (as you’ll read shortly) – and add a strong layer of protection by generating long, complex passwords that are hard to crack.

As a smartphone and password manager user, you’re likely to be using a passkey already. For iPhone users, it’s facial recognition. For Android users, it’s a fingerprint. These and other passkeys work in the background to assemble a mathematical puzzle. The numbers are always changing, and they are not tied to anything that’s unique to you as a person. It doesn’t care about your mother’s maiden name or your first-grade teacher.

Most password managers use biometrics to authenticate you and your device, and you don’t need to be a tech wizard to set up and use it. For facial recognition, you just need to let the authentication app see several views of your face. For fingerprints, you just need to roll a finger over a sensor. In most cases, when using your smartphone, tapping on the app for a website automatically starts the authentication sequence.

Authenticator apps such as Microsoft Authenticator and Google Authenticator can work with website visits from a computer or mobile device. We like to set up our Microsoft OneDrive clients using Microsoft Authenticator to access files securely from any device from any internet connection.

For mobile devices, you can use a mobile app push for even more security. It works with mobile apps on your phone. When you log in to a website, you get a notification in the corresponding app on your phone that prompts you to verify your identity through that notification. This verification method is independent of the device you are logging in on and better than SMS or authenticator OTPs. However, you still need to pay attention. A hacker could repeatedly try to log in to your account using a stolen password, and you would get multiple messages on your phone to verify. If you click to verify, you could give the hacker account access.

We can help you move to a stronger authentication process. Call us – 973-433-6676 – or email us to see what authentication could work best for you. We can help you install and configure the necessary software and get you started on using it.

Passkeys Not There…Yet

Passkeys hold a lot of promise in eliminating passwords. They rely on an electronic handshake to allow your device to access a secure website, and many password managers claim to link to passkeys. They’re getting there, but they’re not there yet.

A major hurdle right now is that not all websites recognize the passkeys from password managers. Sometimes, recognition depends on the device. Since most of us have fairly new cell phones, our phones usually have the ability to work with facial recognition, which is a form of a passkey. Older devices may not have the ability to work with this type of technology.

We suspect the move to newer computers – especially as Microsoft ends support for Windows 11 – and the need for better security will speed the drive to make more devices capable of using passkeys.

Why are passkeys secure? They eliminate the need to enter usernames and passwords, both of which are stored on the website you’re trying to access. We know the problems with usernames and passwords: they can be stolen by hackers from the website or your device, they can be forgotten, and we can make them less effective by using simple passwords multiple times so we don’t forget them.

Passkey information is stored on the website and in your device. They are not the same info; they rely on the handshake – sort of like two spies who each know what they need to hear in a phrase. On your device, the most common passkey information is a biometric (facial recognition or fingerprint) or a PIN (personal identification number). Because they are device specific, the system relies on you having your device when you log into the website.

When you combine a passkey with some form of 2FA (two factor authentication), you’re using an access method that has proven reliably secure up to now. Many of the leading password manager programs, such as Dashlane, 1 Password and Bitwarden, can create and store passkeys for you, and both Apple and Android can store their passkeys locally and access them using the keychain app on mobile devices.

Even if you can’t use the passkey with your password manager, you’re still ahead. Remember, with a password manager, you only need to remember a single master password. You can let the password manager generate a long, complex password for each website. That password should be immune from guesses based on any of your personal information.

More websites, too, are using passkeys instead of the username/password duo. As the websites use them more, you will have easier access to more websites, but that comes with a caution. The websites will need to tighten their security, too, to prevent more sophisticated hijackers from getting info from their sites. One of their hacks is to hijack cookies. You can help prevent that by not clicking on “Accept” when the cookie dialog box pops up. Instead, navigate to the “Cookies” or “User Data” sections and choose the shortest available session duration. That way your cookies will expire automatically or whenever you close your browser window.

To expand the conversation about the internet and security, you can apply the same security measures to any device in your office or home that uses the internet or a Wi-Fi network. Printer manufacturers such as HP have created anti-hacking steps, such as entering a PIN, to gain access to the information stored in a printer.

We can help you install and configure password managers and set up effective passkeys and other security measures. Call us – 973-433-6676 – or email us to talk about it.