London (AP) – Tired of managing passwords? Consider using PassKeys.
Many online platforms are now integrating PassKeys, a digital authentication method touted as a more convenient and secure way to log in. Google started accepting it about 18 months ago.
PassKeys are viewed as the final step in password exchange. If you’re still unfamiliar with them, read on.
Discover more about the Ones series
What are PassKeys and how do they function?
Forget about memorizing a complex 14-character password filled with letters, numbers, and symbols. PassKeys eliminate the need for that by allowing you to log in using biometric authentication methods like facial recognition, fingerprints, digital patterns, and pins.
Comprising two code parts, PassKeys function like digital keys and locks. One half remains encrypted and typically resides in a compatible cloud password manager or a physical security dongle, while the other half is stored within the applications, services, or accounts you use.
For instance, when you sign into your Gmail account, both code halves communicate directly, providing access.
Is the security better?
PassKeys only work on approved websites, mitigating the security risks associated with traditional passwords.
This means that phishing attempts are less likely to succeed since attackers cannot trick you into entering information on counterfeit login pages. Furthermore, PassKeys utilize encrypted security, making it impossible for attackers to access your account by guessing passwords that were part of earlier data breaches.
Where can I utilize PassKeys?
According to Andrew Shikiar, CEO of Fido Alliance, which developed the core technology for PassKeys, around 20% of the world’s top 100 websites currently accept them.
PassKeys gained traction when Apple integrated the technology into iOS in 2022, and Google has started using them in 2023. Other major companies, including PayPal, Amazon, Microsoft, and eBay, are also adopting PassKeys. You can find a directory on the FIDO Alliance website.
However, popular platforms like Facebook and Netflix have yet to implement this technology.
While PassKey technology is still in the “early adoption” stage, Shikiar asserts it’s only a matter of time before more sites start to offer it.
Setting up PassKey
I attempted to set up PassKeys for various online services, finding it straightforward for some but confusing for others. Shikiar noted that efforts are ongoing to improve user experience.
Google users can visit myaccount.google.com, click on “How to Sign in to Google,” and navigate to PassKeys and Security Keys. On the setup screen, I received a prompt to create a PassKey, and the password manager browser plugin automatically saved it. I confirmed my setup, and the process went smoothly.
So far, it’s been quite easy.
Using a Windows-based work laptop and a Yubico security key, I encountered a request for confirmation via my existing PassKey. Unfortunately, I couldn’t authenticate through the password manager thereafter.
I tried other verification methods, like the Google Authenticator app on my iPhone, and it eventually worked.
I added multiple PassKeys for my Microsoft Account—one through a password manager and another via the Yubico key.
Setting up PassKeys on LinkedIn and Amazon was much simpler. When attempting to add a PassKey to my WhatsApp account, I discovered that activating the app lock feature requiring a fingerprint scan had already created one a month prior.
Logging in
Once set up, signing into some accounts was a breeze. However, I faced challenges with PayPal, as the PassKey doesn’t work on certain browsers like Firefox.
When I tried to log in to Amazon using the PassKey, I was prompted for a one-time verification code from the Authenticator app, which puzzled me since I thought PassKeys were supposed to eliminate the need for multifactor authentication.
Shikiar explained that it varies by site, but theoretically, PassKey offers significant protection on its own.
“If the primary factor isn’t available, no other factors are required,” he clarified.
What if I lose my PassKey?
Losing a device with your PassKey doesn’t necessarily mean you’ve lost access. PassKeys are typically stored using a cloud-based password manager for Apple, Google, or third-party options, allowing you to log in from another device.
However, passkeys stored on a security dongle are not cloud-synced, so if they’re lost, recovery is impossible. It’s advisable to have a second hardware key as a backup.
Additionally, you’re free to use both cloud and hardware methods together for extra redundancy.
Do I need PassKeys for all accounts?
From my experience, setting up PassKeys can either be straightforward or tedious, depending on the service and additional security technologies in use.
Therefore, I don’t recommend trying to set them up for all accounts at once.
Focus initially on your most important and frequently used accounts to ensure they are set up correctly.
What about my passwords?
Theoretically, you can delete your old passwords. Some services, like Microsoft, already provide this option. Shikiar mentions it’s a “personal preference,” as “some individuals may feel uneasy about being entirely passwordless.”
Keeping your old password is fine, but ensure you have multifactor authentication enabled as well, he added.
___
Do you have any technical challenges to discuss? Please reach out at [email protected].
Source: apnews.com