Hard-to-remember passwords are one of the frustrating daily struggles of using computers. Worse, repeated passwords result in single account compromise spiralling out of control. Tim Clark explores the issue.
The jaded user cries, ‘Was it an S, or a $?’, trying desperately to remember. Worse, they used an old email and can’t reset their infernal password. Maybe they’ll just create a new account, and start over. Maybe just throw this computer out the window?
Disadvantages of multi-factor authentication and SSO
Multi-factor authentication attempts to mitigate this, but there are a few ways attackers can bypass it: session hijacking is often cited, as such an attacker will not require your password or an MFA code. Sending MFA codes via text or email leaves the user vulnerable to phishing. Text-based MFA is vulnerable to SIM swapping: where attackers (often through social engineering) move your phone number over to a SIM card that they control. Most simply, MFA fatigue can set in. If you are spammed with MFA notifications, you are more likely to approve a suspicious request.
There are other login methods that attempt to improve convenience or security. ‘Magic links’ allow you to enter your email address, and be sent a link that allows you to login. However, this can involve an app switch, and waiting for said email. ‘It’s not there yet, did you try spam?’ Links can be triggered by email screening systems, expiring before they reach you.
Single Sign On (SSO) can be used with major accounts such as Apple, Google or Facebook. However, this leads to a single point of failure where a single account compromise could be catastrophic. A similar claim could be made about cloud-based password managers, which allow you to store all credentials behind a single, strong password.
So, don’t use them. Passkeys are the solution.
What are passkeys?
Created by the FIDO Alliance, a group of organisations worldwide including Apple, Microsoft and Google, passkeys are a major step towards a passwordless future.
For you
Be part of something bigger, join BCS, The Chartered Institute for IT.
Conventional security methods generally introduce more friction for users, but passkeys are actually simpler. They are ‘discoverable’, which means they store user information, so an email/username and password are not required. The WebAuthn browser API integrates with your computer, allowing you to approve its use with fingerprints, face or a backup PIN. An encrypted private key stored on your computer is combined with a public key provided by the website, to create a unique credential, bound to a single website and user/device.
According to Google, users successfully sign in twice as fast with a passkey. This makes for a better user experience, reducing friction for customer-focused businesses. Not at the cost of security. Passkeys implicitly provide MFA, using a ‘possession factor’ (you have the device with the key) and either knowledge of the PIN or an ‘inherence factor’ like fingerprints. MFA codes or magic links don’t have to be sent via text or email. Valid only for that specific website/user combination, the session token, if hijacked, is useless. On another device, reauthentication would be required.
The positives of passkeys
Your private key is never shared, nor is your biometric information (only positive verification of its presence), keeping things private to your device. When signing in on another device, like a shared computer, you can securely and quickly log in by scanning a QR code with a trusted device.
The best thing about passkeys is simply that no password is required. Nothing for you to remember, but also, nothing for you to come up with! No need to type a password twice nor worry about typos on registration. A secure key is generated without you needing to think of character substitutions or long random words. Unlike password managers, authentication apps and even magic links, passkeys are approachable for those unfamiliar with tech. Anyone can set one up easily without having to think much about it. Avoiding remembering, typing or copying passwords makes login much more accessible to a variety of users.
Why not set one up today? Once logged in, many sites prompt you to do so, and you can do it with just a few clicks. Apple, Google, Amazon, Microsoft and many others already offer passkey login. Take a step into a passwordless future.
