Ain't Nobody Got Time for Passwords
Password-less and pass-keys and pass this and pass that
They're kind of a pain, honestly.
You have to remember too many, use a password manager and a really long password, separate passwords for sensitive websites like email and banking. The list of best practices goes on.
They're easily guessable (we've guessed many) since they fall into simple patterns: Company Year, Sports Team, Family and Pets.
And they get shared: your-news-site dot com has a data breach, your password there gets leaked on the internet, and hacker tries that password or a variation everywhere else you use your email.
For years people have talked about getting rid of passwords.
The future is passwordless, they say.
And slowly but surely that's becoming a reality.
Apple and Android are building in support to get move away from passwords by effectively using your phone as a password to log in to your email and other sites if those sites support it.
They're calling them "passkeys".
Using security features of the phone, you’ll be able to create accounts and sign in to websites with Face ID or your fingerprint - no passwords required. And best of all - it can't be phished.
If you get tricked into browsing to a fake email login page, your phone will know something is off and the hacker won't have anything to steal.
As hackers we can set up realistic looking login pages and even steal two-factor authentication codes. But in every case, the domain or website name we use won't be authentic. Since passkeys are only tied to the authentic website a hacker will get nothing at all since your phone won't present the passkey to the malicious site.
Keep in mind though you'll still want to be cautious not to type in a password on a site you're using passkeys with since that's probably a good indicator of something nefarious going on.
If you lose your phone, no worries since passkeys are synced to your iCloud Keychain, and soon, to your Google account.
We're looking forward to this user friendly and phishing resistant method becoming mainstream as sites add support for passkeys. We’ll keep you posted with our experience and what pit falls if any to watch for.
More information for Apple devices can be found at here. Apple Passkey support debuts in iOS 16 (trust us, you should be keeping your devices up to date). More info for Android devices can be found here.
Until next time!