Microsoft has rolled out passkey support for consumer accounts. Passcodes are a passwordless login method designed to prevent account takeover by reducing or eliminating the use of passwords. Instead of passwords, facial recognition, fingerprint scanning or PIN numbers are used to log into accounts.
Current methods to protect online accounts
Passwords for online accounts often require an obnoxious combination of lowercase and uppercase letters, numbers and symbols that are easily forgotten and tedious to type, but can be stolen by hackers through phishing, malware and other methods.
One way to increase account security is to require textual PIN codes along with passwords. Although more secure than a password alone, hackers can still intercept the code through illegal SIM cloning https://theintercept.com/2020/09/25/surveillance-sim-cloning-protests-protect-phone /, SIM swaps, mobile phone hacking, and cellular network sniffing when targeting personalities like the President. However, most PIN-protected accounts are still better protected.
Another way to increase account security is to use two-factor (2FA) devices and software (like this one from Amazon) that generate a unique code that must be entered along with a password. While 2FA software is vulnerable to malware and cloning, 2FA hardware is difficult to copy, making it popular for securing accounts. Still, hackers have also found ways to bypass 2FA security.
Access keys
The problem of forgotten passwords exists in previous methods, which is why passcodes are being promoted by large companies such as Apple, Google and Microsoft as an alternative to 2FA hardware. For most users, passkey logins are typically authenticated by facial recognition, fingerprint scanning, or entering the PIN on the person’s smartphone. Microsoft claims that all biometric data remains on the user’s device and is never sent to them.
One of the advantages of the passkey system is that a pair of cryptographic keys is created for each online account, which are unique. A login for one account will not work for another. Readers who want to try out the new world of passwordless logins can read about setting up passwords for consumer accounts at Microsoft, Apple, and Google.
Readers who don’t want to use passkeys can still use PIN codes or hardware 2FA devices like this one from Amazon (remember to purchase an extra backup).
Issues Passkey potentials
Passkeys introduce potential problems and vulnerabilities. The first is the lack of two different login details: only the phone or 2FA device is required, so stolen devices have full ability to log in to all accounts. Kids know how to peek over your shoulder to steal a PIN code, and hackers have breached Microsoft’s facial recognition https://www.cyberark.com/resources/threat-research-blog/bypassing-windows-hello- without-masks-or-plastic-surgery and fingerprint verification beforehand. Additionally, many password-protected accounts remain vulnerable because passwords are used as a recovery method. More importantly, if your biometric data, such as your fingerprint, is cloned, you won’t be able to change it unless you undergo surgery, so hackers will be able to impersonate you as long as you’re still using the same fingerprint. to authenticate.
Loss of access key databases is also a major problem. If passwords are completely removed, losing the password database without a secure method for account recovery can instantly lock users out of their accounts forever, as many bitcoin holders have experienced after losing their smartphones. The problem remains so big that even the author of webauthn-rs remains unconvinced, as do many users who reported that their passwords had been mistakenly destroyed by Apple and other companies. Additionally, the NSA knows that current non-quantum cryptography, , is in danger so smart users should be wary of cloud backups of access keys.
Secure password and account strategies
Password managers like 1password and LastPass have been hacked repeatedly, so even allowing web browsers to remember your secrets may be a bad idea, as a successful hack can compromise all accounts. Instead, use a password creation strategy that you can easily remember. For example, favorite long phrase + “site name initial” + number + “symbol”.
Another good strategy is to isolate and divide. For example, use one email account just for finances and another for regular correspondence, with different passwords. Laptops are cheap enough (like this one on Amazon) that you can buy one just for finances.
Because SIM swaps are a threat to all users who secure accounts using their phones, read how to secure your SIM card for T-Mobile, Verizon, or AT&T users.
