Passwords = bad
Passwords, while a familiar concept deeply ingrained in our daily online interactions such as banking, social networking, and shopping, are fundamentally flawed. Weâve gotten used to always filling in our email and password when signing up for a new service or app, but rarely do we choose a 35 character long random string of letter, numbers and characters. The tendency of users to reuse passwords for ease of use, compromises the security of the systems that we use. The practice of reusing passwords as our primary security measure increases the risk of both our digital and âreal-worldâ lives.
I donât care!
But Samuel, I donât care. Well, you should. I wonât go into details of my views and preachings around passwords, and online hygiene. But I always go back to a conversation that I had with a family member.
- Ok, so you donât care about passwords and their reuse?
- No I donât
- So you donât care that people can view, and openly enter your systems and apps?
- No, I donât care, I have nothing to hide
- Ok if you donât care, and have nothing to hide. Why donât you then just publish everything publicly? We can begin to open up your accounts, and Iâll begin to post them online, letâs also unlock your front door and let people come in and go through your photo albums, sensitive documents, stuff you have in the freezer, and also let them stand and watch over you whilst you work and eat at home.
They said that they didnât want to do thisâŠ
We often think of our âreal worldâ and online lives as separate things. But as technologies, and the internet grows into more parts of our lives, we also invite more and more eyes, ears, and control. Having bad passwords, and also reusing them, just makes this entry step into our lives easier. Having your iCloud password set to: ilovesamuel, will indeed invite almost anyone that really wants to, to access your photos. If your home surveillance system has the same password set as your compromised iCloud password, it would be a good idea to change it to something better, if you donât want someone watching you move around in your own house. These are of course scary scenarios that donât happen to everyone, people with bad passwords arenât always attacked and exploited, and people with 35 character passwords are also attacked and exploited. But the chances are greater, and the risks are bigger with bad and reused passwords.
Passkeys
Passkeys could be the password salvation and a new type of technology that would allow the transition from reused passwords to better security and privacy. Passkeys are one way that we are moving towards passwordless authentication.
Passkeys let users sign in and authenticate themselves on services and apps with something else than passwords, i.e. something that they canât reuse and remember. Passkeys allow the use of biometrics, and other technologies to authenticate oneself. In the same way, you unlock your phone, you could use the same fingerprint, or facial recognition system to sign up or log in to Google Drive, or a Facebook account. Itâs easier, more convenient, and far more secure.
Passkeys have been supported and developed by industry leaders and foundations such as Google, Apple, Microsoft, the World Wide Web Consortium (W3C), the FIDO Alliance (Fast Identity Online), among others, as a FIDO and Web Authentication standard. These systems and standards are being implemented, and theyâve also already been implemented, onto various apps, websites, and services. Some of the services where you can use passkeys are Microsoft, Google, Adobe, PayPal, WhatsApp, etc. Here is an up-to-date list of all services that allow passkeys.
Passkeys work with public-key cryptographic key pairs, this means that each website that we use passkeys with has different key pairs, so no reusability! The online service that you sign in with a passkey has your public key, and you have the private key. This private key can be stored on any device that supports this key pair technology so for example your smartphone, iPad, PC, etc. This is âkeyâ because if for example, Facebookâs authentication database gets compromised, and all of its data (public keys) are stolen, they are useless. This is because of the key pair solution, they donât have your private key, so they canât use it to log in to other services, even if you can authenticate yourself with your devices using your passkey (private key).
Related blog posts:
- Read more about digital encryption in my other blog post
- Here you can also read more about FIDO and MFA
Why?
Passkeys are more resilient towards phishing attempts (but donât stop them all together), and brute-force as well as credential-stuffing attacks. That is because your biometric data canât (not now at least) be brute-forced or guessed. There is however an evergrowing fear of the storage and use of the biometric data that we provide services and business, but thatâs another story. Also, no biometric data gets transferred to the service you are signing in to when you sign in with passkeys, biometrics is only used on your device to authenticate yourself.
Phishing involves the use of social-engineering attacks to trick a user into revealing their user data, such as passwords. These come in all types of forms and sizes, but most commonly you find them in your email inbox, as emails from your âbankâ wanting you to log in, and verify some âunauthorizedâ transactions, just click here! But when we use passkeys, then the bad-actor canât steal anything useful, due to the fact that we use public-key cryptography to authenticate ourselves. There is no password to steal because we donât know what to share with the fake bank account email link.
But.
There are some downsides to using passkeys instead of good âol passwords. If you for example lose your phone, which has been registered as the main passkey for your online services and apps, then you need to reset your accounts with some form of provided options such as recovery codes, emails, phone numbers, contacting customer support, and/or using another device that your are logged into your account on. The recovery of accounts is easier to do deal with when it comes to regular password accounts since you can just log in with your good âol fashioned password123. As stated, you are quite dependent on your devices when you are using passkeys, they are needed for all your authentications.
Passkeys are not that new, but during the 2020s the technology and aim towards passwordless authentication has gained momentum, but their overall implementations has been quite slow. It requires that more services, apps, and businesses begins to implement and allow the use of passkeys. We also need additional and stronger standards that pinpoint the development, implementations, and other aspects of using passkeys in all types of services and businesses. The general public also needs to be educated and made aware of the positive aspects of passkeys, and why passwords arenât that good in the long run.
Passkey Pros & Cons
Pros:
- Easing the use of digital services
- Enhanced online security
- No need to remember and/or store passwords
- Looking cool
Cons:
- Device dependency
- Recovery issues
- Not all services have passkeys implemented
- Looking too cool sometimes
Conclusion
So hey, letâs start using passkeys! Iâd still recommend that you have unique and varied passwords for all those sites that donât support passkeys. I mean I donât think that your local bowling alley will support passkeys for their lane booking site any time soon, but who knows? Having a password manager lets you organize your accounts, and passwords without needing to remember all of them all the time. Mangers such as 1Password lets you organize and view which of your sites you use a passkey for. Using MFA and other security tools, such as a Yubikey is also âkeyâ to securing your online (and real-world) lives.