Strong passwords are already less vulnerable to brute force attacks or other hacking methods than simple passwords, and ensure a minimum of safety for your data. But a new passwordless login technology can give your security an even greater boost. In this article, Reporters Without Borders (RSF) presents the mechanism and potential appliance of passkeys.
Passwords have long been the most widely used method to protect digital data, but they have several significant vulnerabilities:
- Passwords can be easily leaked, especially in cases where a password is shared to multiple people, such as within a team of journalists, colleagues and interns who all access the same social media news account.
- Passwords stored on a device can be stolen. Managing many complex passwords might lead a journalist to store them in a document or password manager to copy and paste as needed, but it is possible for hackers to intercept passwords by hijacking the clipboard.
- Passwords are highly vulnerable to phishing attacks. Hackers can create convincing fake login pages to trick people into entering their password information, only to steal it and hijack their accounts.
- Passwords can be easily forgotten. A journalist can decide not to write down anywhere their password for safety reasons, but then forget what it originally was when not having to type it regularly.
What are passkeys?
Passkeys can drastically strengthen your defence against security attacks. Instead of relying on a password, a passkey is a piece of random data generated and stored on your device — such as your phone, computer, password manager, or a physical security key. When you set up a passkey with an online account, the key splits into two pieces: one part is stored on the device; the other is kept by the website.
When you log in, the website will send you a prompt asking for the passkey on your device. Your device will ask you for credentials (fingerprint, face scan, phone PIN, etc.) and then display the passkey. If the passkey matches the piece the website has, you can log in, all without any password typing involved.
Aside from mobile devices, passkeys can be stored in various places:
- Mobile Operating System: Google password manager, Apple keychain
- Browser: Chrome, Safari (passkeys are stored in Apple Keychain), Microsoft Edge
- Password managers: Bitwarden, 1Password, ProtonPass
Safer and more convenient
With passkeys, there is no password to leak or steal. Multiple passkeys can even be created for the same online account. This makes it easy and secure for teams to share access, since each colleague can create their own passkey on their device.
Passkeys are safer than a password, even combined with two-factor authentication (2FA). If you visit a phishing site that asks for a one-time code sent via SMS, email, or an authenticator app, there is still a risk of being tricked into handing over both the password and the 2FA code. With passkeys, the “password” and “second factor” are combined into one seamless step, offering stronger security with a faster login experience.
Furthermore, since each passkey is uniquely generated for a specific website domain, even if a hacker sets up a convincing phishing site that tricks the user, the passkey will simply fail to authenticate with the fake domain.
Streamline passkeys with password manager
A password manager is a software tool that stores passwords for you. Your passwords will be encrypted and stored on your device. The encryption key is generated from one additional master password that the user has to remember. So even if someone takes your device away, they cannot access your passwords without the master password.
While a password manager is strong, an attacker might still try to brute force their way in, so it is essential the master password be long and strong. RSF recommends setting a master password longer than 16 characters.
Device security is critical
Since passkeys are tied to particular devices, it is essential to safeguard your devices by setting strong device passwords, enabling biometric authentication, and using secure storage practices to prevent unauthorised access. If a malicious actor gained control of a device storing passkeys, they could exploit them to gain access to your accounts.