Passkeys

 The big tech companies are getting together to do something about the insecurity of passwords. The FIDO Alliance--Apple, Microsoft, Amazon, Google, and others--and WC3 are pushing to implement passkeys as a replacement for passwords to login to your web accounts.

Passkeys use public key-private key cryptography. Your device works with the website or app to create a passkey with a public part, analogous to a lock, and a private part, analogous to a key. You own the key and maintain possession of the private part; it never leaves your device.

The credential manager (a.k.a. password manager) on your device manages passkeys once they are set. You only have to remember how to unlock your device. Since this may be a biometric such as facial recognition or your fingerprint, you may not have to remember anything most of the time. If you use a password or a PIN to unlock your device, you will have to remember them (or write them down someplace secure away from your device).

Passkeys are much more secure than passwords. Passwords reside on both your device and the website. You hope the website's copy is encrypted and secure, but you never know. With passkeys, even if a hacker breaches the website and steals the account data, he would get only the public key, which is useless without the private key that is safely stored only in the credential/password manager of your local device.

These "keys" are long, random numbers with a mathematical relationship to each other. They are used to encrypt information sent and decrypt information received.

Public key-private key technology is not new. It's been around for 50 years. Its application to signing in to apps and websites, i.e., passkeys, is new.

You may have already encountered a website asking if you wanted to set up a passkey. Members of the FIDO (Fast Identity Online) Alliance are already implementing it on their websites. Since the Alliance includes some of the biggest tech companies and consumer companies that depend on security for their customers (Bank of America, Intuit, PayPal, Vanguard, others), use of passkeys will likely spread quickly.

Once you create a passkey, future logins will be more direct, faster, and more secure. The passkey is directly and uniquely tied to your account. Your account will be identified by three factors: the website domain (e.g., walmart.com), your account user identity, and the public key part of your passkey. All three must be present to successfully access your account.

Use of passkeys will significantly reduce successful phishing by hackers. For example, if you were to fall for a phishing email with a well-designed webpage pretending to be your bank, but with a fake domain, your credential manager, where your private key is stored, will not allow you to send your credentials to the fake webpage because one of the three requirements, the correct domain, is not present. In other words, you can not inadvertently reveal your private key to the hacker.

You have options for which credential manager you use. The choices include those built in to your operating system or browser and those provided by third-parties such as 1Password, Bitwarden, and others. You may use more than one, but it could get confusing. Your credential manager literally holds the keys to the kingdom (of your accounts). Thus you should protect it with a strong password, a biometric, or a passkey.

It will be a few years before all websites and apps have implemented passkeys. You should plan for now to continue to use strong passwords, a different one for each account, and multi- or two-factor authentication to access your accounts.  Meanwhile, you should begin to use passkeys for every account you can. You will soon be on your way to a more secure and easier to use future.


Comments

Post a Comment

Popular posts from this blog

Plain Text

One of the themes you will find in this blog is the use of plain text to create notes, articles, documents, and other information files. Plain text is simple, portable, and durable.  Almost every application has the capability to import and use plain text. The publisher of an application that uses a proprietary format can change that format at any time. Let's look at the example of Microsoft Word. For the 2007 version of Word, Microsoft changed the format of the created documents to one based on XML. The change is an improvement, but older versions of Word cannot open the new format without additional software. In other words, the new format is not forward compatible. Right now, the additional software to work around the incompatibilities is readily available. But consider the situation 10 years from now. As this  article from Macworld magazine  says, sometimes you can't even open your older documents. You never have to worry about that situation with plain text. Or the s...
Read more

I'm Back

 I'm not a "regular" blogger. What I mean is that even when I had a  regular blog  from 2010 to 2022, I did not post frequently. I also converted my  website  to a simple place to post some notes about what I read or an occasional thought. But I occasionally feel the need to put some of my thoughts or activities down in more detail than the short "blurbs" I post on my website. So I've come back to this blog. It started back in 2020 as a place to share some of the things I've learned about using computers. Hence the title of the blog. As you can read on my  about page , personal computers have been a hobby (and useful in my work and volunteering) for almost 50 years. So I started out to share some of what I've learned. Then life interfered and I got away from posting. Maybe I can stick with it this time. But this blog will not be limited to computer topics despite the name. I chose to leave the name as is because it does describe me. I use a computer ...
Read more

What is Everyday Computer User?

 A blog that talks about how I use computers. I'm a computer user. Not a programmer, not a hardware buff, not a hacker. I use computers to keep track of things in my life and to get things done.  I've been using computers for a long time. I got my first personal computer for home in 1977 when I was 32 years old. Over the years, I have learned a lot about computers and how to use them. Learned a little programming, how to do my own website, how to edit photographs, in other words, lots of things. Over the years I've gained knowledge about different programs (those things we now call apps) and different techniques. Now that I'm retired, I focus on using my computer to keep notes, keep up with what's going on the world, maintain all my finances, manage my family photos, and make sure I know what I need to do tomorrow. The basic purpose of this blog is to relate some of my knowledge to those that may be struggling to develop a system of working and record-keeping fo...
Read more