Deutsch
Español
Français
Italiano
Nederlands
Polski
Português
Русский
Türkçe
Svenska
Chinese
MagyarMicrosoft joins Apple and Google rolling out passkeys support to consumer accounts for passwordless logins
Microsoft has rolled out passkey support for consumer accounts. Passkeys are a passwordless login method designed to prevent account takeovers by reducing or eliminating password use. Instead of passwords, facial recognition, fingerprint scans, or PIN numbers are used to log into accounts.
Current methods of securing online accounts
Online account passwords often require a hated combination of lower-case and upper-case letters, numbers, and symbols that is easily forgotten and tedious to type but can be stolen by hackers using phishing, malware, and other methods.
One way to increase account security is by requiring texted PIN codes along with passwords. Although more secure than a password alone, hackers can still intercept the code through illegal SIM cloning, SIM swaps, cellphone hacks, and cellular network sniffing when targeting VIPs such as the President. Most PIN-protected accounts remain better secured nonetheless.
Another way to increase account security is to use two-factor (2FA) devices and software (such as this one on Amazon) that generate a unique code to be entered along with a password. While 2FA software is vulnerable to malware and cloning, 2FA hardware is hard to copy, making it popular for securing accounts. Still, hackers have also found ways to bypass 2FA security.
Passkeys
The problem of forgotten passwords exist in the above methods, so passkeys are being promoted by major companies such as Apple, Google, and Microsoft as an alternative to 2FA hardware. Passkey logins are typically authenticated by facial recognition, fingerprint scans, or PIN entry on a person’s smartphone for the majority of users. Microsoft states that all biometric data remains on the user's device and is never sent to them.
One advantage of the passkey system is that a pair of cryptographic keys are created for and unique to each online account. A login for one account will not work for another account. Readers who want to try out the new world of passwordless logins can read about passkey setup for consumer accounts at Microsoft, Apple, and Google.
Readers who don’t want to use passkeys can continue using PIN codes or 2FA hardware devices like this one at Amazon (remember to buy an extra backup).
Potential passkey issues
Passkeys do introduce potential issues and vulnerabilities. The first is the lack of two different pieces of information for logins – only the phone or 2FA device is required, so stolen devices possess the full ability to log into all accounts. Kids know how to peek over a shoulder to steal a PIN code, and hackers have broken Microsoft facial recognition and fingerprint verification before. Also, many passkey-protected accounts remain vulnerable because passwords are used as a recovery method. Critically, if your biometric data such as a fingerprint is cloned, you cannot change this unless you have surgery, so hackers can pretend they are you as long as you continue to use the same fingerprint for authentication.
Passkey database loss is also a significant issue. If passwords are fully eliminated, loss of the passkey database without a sure method for account recovery can instantly lock users out of their accounts forever – as many bitcoin holders have experienced after losing their smartphones. The problem remains so large, even the author of webauthn-rs remains unconvinced, as do many users who reported their passkeys mistakenly destroyed by Apple and other companies. Also, the NSA knows that current, non-quantum cryptography is at risk, so smart users should be wary of passkey cloud-backups.
Secure password and account strategies
Password managers such as 1password and LastPass have been hacked repeatedly, so even allowing web browsers to remember your secrets can be a bad idea because one successful hack can compromise all accounts. Instead, use a password creation strategy that you can easily remember. For example, favorite long phrase + “site name initial” + number + “symbol”.
Another good strategy is to isolate and divide. For example, use one email account only for financials and another for regular correspondence - with different passwords. Notebooks are cheap enough (like this on Amazon) that you can buy one just for financials.
Because SIM swaps are a threat to all users securing accounts using their phones, read how to secure your SIM card for T-Mobile, Verizon, or AT&T users.
