Google has been implementing support for passkeys so that users can log in to their accounts without remembering a password or using a third-party password manager. Apple also implemented passkeys in iOS 16.
The passkeys concept has been touted by advocates as a way to eliminate the problem of people generating and using unsafe passwords because they’re worried they might forget the complex passwords required to secure their accounts properly.
Passkeys, a FIDO-developed technology enables users to log into their online accounts using their phone or computer’s built-in biometric authentication like FaceID or PIN unlock prompts. The system generates and manages keys instead of asking you to create a password for your account.
While this has the potential to bolster security in cases where people use incredibly weak passwords and prevent phishing by checking the authenticity of the web address you’re at, there are still some disadvantages associated with it:
- Your Apple or Android device already provides access to many online services. This means that simply losing your phone or having it stolen could be downright catastrophic, as the thief who obtained it could effectively take over all your online accounts. This was a problem before passkeys, now it will be an even bigger problem.
- Your phone’s weak 4 or 6 digit PIN would effectively replace your online passwords. The phone unlock methods people choose are almost always insecure due to the fact that it is usually a short PIN or biometrics. Facial recognition and fingerprint sensors have been bypassed too easily, and too many times for this to hold up if a tech-savvy thief gains physical access to your phone. If you want to use passkeys, at least switch to the ‘password’ option when unlocking your phone and then create a strong, unique password and keep a backup copy of it somewhere safe.
If you don’t like the sound of passkeys, but want to move beyond insecure, ‘easy to remember’ passwords that have been causing people to hacked then use a strong password generator and store the password in a secure password manager with zero knowledge and end-to-end encryption such as Bitwarden. It offers both password generation and storage. You can also use physical security keys such as Solokeys or Yubikeys.
Password managers also provide phishing protection by checking that you’re at the correct domain before they auto-fill your password (Bitwarden does this). A combination of a strong, unique password that you don’t have to remember, and two factor authentication (not SMS 2FA, but an authenticator app such as FreeOTP, Raivo, or Google Authenticator) is both convenient and relatively secure. Using unique email addresses for each service will boost your security as well, because your email address is half of your login credentials on most websites.
When choosing a password manager, research it carefully to ensure that it stores your passwords using zero knowledge and end-to-end encryption. Anything less than that is unacceptable for a password manager. These two features protect your passwords in the event that the password manager’s server is hacked. If your device is hacked, that’s another issue — so always exercise caution and avoid unsafe websites.
Further Reading
Compromised Emails Are One Of Your Greatest Security Threats
Set Up Secure, Synced 2FA, Password And Email Generation On All Platforms
