An article from my colleague, Joey Pepka, of Peptronics
Passwords are the standard way we log on to pretty much everything, everywhere.
The catch? Passwords are inherently insecure. They can be stolen, guessed, or brute forced. But mostly, people just use bad ones. (And, worse, reuse them.)
Password managers can track all those various alphanumerics for you and even replace the weak ones. But password management is a half measure when it comes to security. The real action is in eliminating passwords altogether.
The Passwordless Plan
Microsoft, Apple and Google plan to roll out no-password logins across all of their platforms, using a standard set by the FIDO (Fast Identification Online) Alliance. This sets the worldwide standards for passwordless authentication.
That’s a bit of a mouthful… so some people call this a passkey. A lot easier to remember.
A passkey works in a similar way to multi-factor authentication (where you use a separate device to prove it’s really you), but with less effort required.
It’s very simple. To login to something, you’ll use your phone to prove it’s really you. Your computer will use Bluetooth to verify you’re sat nearby. Because Bluetooth only works a short distance, this should stop many phishing scams. Then it’ll send a verification message to your phone. You’ll unlock your phone in the usual way, with your face, fingerprint or PIN.
You’ve probably experienced this for yourself. You go to log in to a site or fire up an app, and instead of being asked to enter a password you get a prompt to enter a six-digit code from your authenticator app, tap a notification on your phone, or click a link sent to your email. Or maybe you just need to raise your phone to your face. Easy peasy.
And that’s it. You’re logged in.
Passkeys rely on something called public key cryptography. When you register with an application or website a key pair is made between the website and your phone. These are really long numbers that are connected in some way. But you’ll never see them, and you certainly don’t have to remember them. Your phone verifies the pair when you unlock it in the normal way.
Your passkeys will be backed up in the cloud, so if you get a new device, you can simply transfer over your information. In the same way it’s now easy to set up a new phone to be just like your old device.
These passkeys are not only simpler for you but should keep your data safer.
There is no password for cyber criminals to steal. And your phone needs to be close to your computer to login. It’s not fool proof, but it’s a lot better than the current situation with passwords and multi-factor authentication.
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com