Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Passkeys. Show all posts
Technology
Advanced security Advanced Tech Passkeys Technology

Passkeys Gaining Traction as More Secure Alternative to Passwords, Experts Say

 

Security experts are increasingly urging users to move away from traditional passwords and adopt passkeys, a newer method of logging into accounts that aims to reduce risks such as hacking and phishing. 

Passwords remain widely used, but they are often reused, simplified or poorly managed. Even with password managers, which help generate and store complex credentials, risks remain. These systems typically rely on a single master password, creating a potential point of failure if compromised. Passkeys take a different approach. 

Instead of requiring users to remember or enter passwords, they rely on device-based authentication, such as a phone’s screen lock or biometric verification like fingerprint or facial recognition. 

The system works using a pair of cryptographic keys. One key is stored on the service being accessed, while the other remains securely on the user’s device. When logging in, the service sends a request that the device verifies locally. 

If the authentication is successful, access is granted without transmitting a password. Because no password is shared or stored centrally, passkeys are considered more resistant to phishing attacks, which the FBI has previously identified as one of the most common forms of cybercrime. 

The method is supported by the FIDO Alliance and adopted by major technology companies including Google, Apple and Microsoft. Passkeys are designed to work automatically once set up, requiring minimal user input. 

However, they are tied to specific devices, meaning losing access to a device could complicate account recovery unless backup options are enabled. Experts say the shift reflects broader concerns about password security. 

Once an email address or login credential is exposed through data breaches or online use, it can be reused by attackers across multiple platforms. Passkeys also generate unique credentials for each service, limiting the impact of a breach on any single platform. 

While adoption is still growing, the approach is increasingly seen as part of a move toward passwordless authentication, as companies look to reduce reliance on systems that have long been vulnerable to misuse.
Read more »
phishing
Biometrics Cyber Security Cybersecurity Online Security Passkeys Password password protection Passwords phishing

Passkeys vs Passwords: Why Passkeys Are the Future of Secure Logins

 

Passwords have long served as the keys to our digital world—granting access to everything from social media to banking apps. Yet, like physical keys, they can easily be lost, copied, or stolen. As cyber threats evolve, new alternatives such as passkeys are stepping in to offer stronger, simpler, and safer ways to log in.

Why passwords remain risky

A password is essentially a secret code you use to prove your identity online. But weak password habits are widespread. A CyberNews report revealed that 94% of 19 billion leaked passwords were reused, and many followed predictable patterns—think “123456,” names, cities, or popular brands.

When breaches occur, these passwords spread rapidly, leading to account takeovers, phishing scams, and identity theft. In fact, hackers often attempt to exploit leaked credentials within an hour of a breach.

Phishing attacks—where users are tricked into entering their passwords on fake websites—continue to rise, with more than 3 billion phishing emails sent daily worldwide.

Experts recommend creating unique, complex passwords or even memorable passphrases like “CrocApplePurseBike.” Associating it with a story can help you recall it easily.

Enter passkeys: a new way to log in

Emerging around four years ago, passkeys use public-key cryptography, a process that creates two linked keys—one public and one private.

  • The public key is shared with the website.

  • The private key stays safely stored on your device.

When you log in, your device signs a unique challenge using the private key, confirming your identity without sending any password. To authorize this action, you’ll usually verify with your fingerprint or face ID, ensuring that only you can access your accounts.

Even if the public key is stolen, it’s useless without the private one—making passkeys inherently phishing-proof and more secure. Each passkey is also unique to the website, so it can’t be reused elsewhere.

Why passkeys are better

Passkeys eliminate the need to remember passwords or type them manually. Since they’re tied to your device and require biometric approval, they’re both more convenient and more secure.

However, the technology isn’t yet universal. Compatibility issues between platforms like Apple and Microsoft have slowed adoption, though these gaps are closing as newer devices and systems improve integration.

The road ahead

From a cybersecurity perspective, passkeys are clearly the superior option—they’re stronger, resistant to phishing, and easy to use. But widespread adoption will take time. Many websites still rely on traditional passwords, and transitioning millions of users will be a long process.

Until then, maintaining good password hygiene remains essential: use unique passwords for every account, enable multi-factor authentication, and change any reused credentials immediately.

Read more »
Password Manager
Browser Clickjacking Attacks Credential Cyber Security Passkeys Password Manager

Passkeys under threat: How a clever clickjack attack can bypass your secure login

 


At DEF CON 33, independent security researcher Marek Tóth revealed a new class of attack called DOM-based extension clickjacking that can manipulate browser-based password managers and, in limited scenarios, hijack passkey authentication flows. This is not a failure of cryptography itself, but a breakdown in the layers surrounding it.


What is being attacked, and how?

Clickjacking is not new. In its classic form, an attacker overlays a transparent frame or control on a visible page so that a user thinks they are clicking one thing but actually triggers another. 

What Tóth’s technique adds is the targeting of browser extensions’ UI elements specifically, the autofill prompts that password managers inject into web pages. The attacker’s script controls the page’s Document Object Model (DOM) and applies CSS tricks (such as setting opacity to zero or overlaying fake elements) so that a user’s genuine click (for example, “Accept cookies”) also activates that hidden autofill element. The result: the extension may populate fields transparently, then the attacker reads the filled data. 

In many of Tóth’s tests, a single click was sufficient to trigger data leakage credentials, TOTP codes (2FA), credit card information, or personal data. In some setups, passkey workflows could also be subverted using “signed assertion hijacking,” if the server did not enforce session-bound challenges. 


How serious is the exposure?

Tóth examined 11 popular password-manager extensions (such as Bitwarden, 1Password, LastPass, iCloud Passwords). All were vulnerable under default settings to at least one variant of the attack. 

Among the risks:

Credential theft: Usernames, passwords and even stored TOTP codes could be auto-populated and exfiltrated. 

Credit card data: Autofill of payment fields (card number, expiration, CVV) was exposed in several tests. 

Passkey hijack: If the relying server does not bind the challenge to a session, an attacker controlling a page could co-opt a passkey login request. 

Some vendors have already released patches. For example, Enpass addressed clickjacking in browser extensions in version 6.11.6. Other tools remain at risk under certain configurations. 


Why this doesn’t mean cryptographic failure

It is critical to clarify: the underlying passkey standards (WebAuthn / FIDO protocols) were not broken. Instead, the attack targets the implementation and environment around them namely, the browser’s extension UI interaction. The exploit is possible only when the extension injects visible elements into the page DOM, and when an attacker can manipulate those elements. 

In other words, passkeys are strong in theory. But every layer above — browser, extension, site must preserve integrity or risk defeat.


What must users and organizations do

Users should:

1. Update your browser and your password-manager extensions immediately; enable auto-update.

2. Disable inline autofill where possible; prefer manual copy-paste or invoke filling only through the extension’s menu.

3. On Chromium-based browsers, set extension site access to “on click,” not “all sites.”

4. Remove or disable unused extensions.

5. For high-value accounts, prefer platform-native passkey or hardware-backed authenticators rather than extension-based credentials.


Organizations should:

• Audit extension policies and restrict or whitelist extensions.

• Enforce secure best practices on web apps (e.g., session­-bound challenges with passkeys).

• Encourage or mandate the use of vetted and updated password-management tools.


This disclosure emphasizes that security is a chain, and your cryptographic strength is only as strong as its weakest link. Passkeys are an important evolution beyond passwords, but until all layers: browser, extensions, applications are hardened, risk remains. Act now before attackers exploit complacency.


Read more »
Passkeys
browser extensions Browser Security Cyber Security data security Data Theft Malicious Browser Extension Passkey Security Passkeys

SquareX Warns Browser Extensions Can Steal Passkeys Despite Phishing-Resistant Security

 

The technology industry has long promoted passkeys as a safer, phishing-resistant alternative to passwords. Major firms such as Microsoft, Google, Amazon, and Meta are encouraging users to abandon traditional login methods in favor of this approach, which ties account security directly to a device. In theory, passkeys make it almost impossible for attackers to gain access without physically having an unlocked device. However, new research suggests that this system may not be as unbreakable as promised. 

Cybersecurity firm SquareX has demonstrated that browser-based attacks can undermine the integrity of passkeys. According to the research team, malicious extensions or injected scripts are capable of manipulating the passkey setup and login process. By hijacking this step, attackers can trick users into registering credentials controlled by the attacker, undermining the entire security model. SquareX argues that this development challenges the belief that passkeys cannot be stolen, calling the finding an important “wake-up call” for the security community. 

The proof-of-concept exploit works by taking advantage of the fact that browsers act as the intermediary during passkey creation and authentication. Both the user’s device and the online service must rely on the browser to transmit authentication requests accurately. If the browser environment is compromised, attackers can intercept WebAuthn calls and replace them with their own code. SquareX researchers demonstrated how a seemingly harmless extension could activate during a passkey registration process, generate a new attacker-controlled key pair, and secretly send a copy of the private key to an external server. Although the private key remains on the victim’s device, the duplicate allows the attacker to authenticate into the victim’s accounts elsewhere. 

This type of attack could also be refined to sabotage existing passkeys and force users into creating new ones, which are then stolen during setup. SquareX co-founder Vivek Ramachandran explained that although enterprises are adopting passkeys at scale, many organizations lack a full understanding of how the underlying mechanisms work. He emphasized that even the FIDO Alliance, which develops authentication standards, acknowledges that passkeys require a trusted environment to remain secure. Without ensuring that browsers are part of that trusted environment, enterprise users may remain vulnerable to identity-based attacks. 

The finding highlights a larger issue with browser extensions, which remain one of the least regulated parts of the internet ecosystem. Security professionals have long warned that extensions can be malicious from the outset or hijacked after installation, providing attackers with direct access to sensitive browser activity. Because an overwhelming majority of users rely on add-ons in Chrome, Edge, and other browsers, the potential for exploitation is significant. 

SquareX’s warning comes at a time when passkey adoption is accelerating rapidly, with estimates suggesting more than 15 billion passkeys are already in use worldwide. The company stresses that despite their benefits, passkeys are not immune to the same types of threats that have plagued passwords and authentication codes for decades. As the technology matures, both enterprises and individual users are urged to remain cautious, limit browser extensions to trusted sources, and review installed add-ons regularly to minimize exposure.
Read more »
Windows
Apple Google Internet Microsoft Passkeys Passwords Technology Windows

Ditch Passwords, Use Passkeys to Secure Your Account

Ditch Passwords, Use Passkeys to Secure Your Account

Ditch passwords, use passkeys

Microsoft and Google users, in particular, have been warned about ditching passwords for passkeys. Passwords are easy to steal and can unlock your digital life. Microsoft has been at the forefront, confirming it will delete passwords for more than a billion users. Google, too, has warned that most of its users will have to add passkeys to their accounts. 

What are passkeys?

Instead of a username and password, passkeys use our device security to log into our account. This means that there is no password to hack and no two-factor authentication codes to bypass, making it phishing-resistant.

At the same time, the Okta team warned that it found threat actors exploiting v0, an advanced GenAI tool made by Vercelopens, to create phishing websites that mimic real sign-in webpages

Okta warns users to not use passwords

A video shows how this works, raising concerns about users still using passwords to sign into their accounts, even when backed by multi-factor authentication, and “especially if that 2FA is nothing better than SMS, which is now little better than nothing at all,” according to Forbes. 

According to Okta, “This signals a new evolution in the weaponization of GenAI by threat actors who have demonstrated an ability to generate a functional phishing site from simple text prompts. The technology is being used to build replicas of the legitimate sign-in pages of multiple brands, including an Okta customer.”

Why are passwords not safe?

It is shocking how easy a login webpage can be mimicked. Users should not be surprised that today’s cyber criminals are exploiting and weaponizing GenAI features to advance and streamline their phishing attacks. AI in the wrong hands can have massive repercussions for the cybersecurity industry.

According to Forbes, “Gone are the days of clumsy imagery and texts and fake sign-in pages that can be detected in an instant. These latest attacks need a technical solution.”

Users are advised to add passkeys to their accounts if available and stop using passwords when signing in to their accounts. Users should also ensure that if they use passwords, they should be long and unique, and not backed up by SMS 2-factor authentication. 

Read more »
two-factor authentication
FIDO Alliance Microsoft Authenticator app online security updates Passkeys password autofill ending Technology two-factor authentication

Microsoft Phases Out Password Autofill in Authenticator App, Urges Move to Passkeys for Stronger Security

 

Microsoft is ushering in major changes to how users secure their accounts, declaring that “the password era is ending” and warning that “bad actors know it” and are “desperately accelerating password-related attacks while they still can.”

These updates, rolling out immediately, impact the Microsoft Authenticator app. Previously, the app let users securely store and autofill passwords on apps and websites you visit on your phone. However, starting this month, “you will not be able to use autofill with Authenticator.”

A more significant shift is just weeks away. “From August,” Microsoft cautions, “your saved passwords will no longer be accessible in Authenticator.” Users have until August 2025 to transfer their stored passwords elsewhere, or risk losing access altogether. As the company emphasized, “any generated passwords not saved will be deleted.”

These moves are part of Microsoft’s broader initiative to phase out traditional passwords in favor of passkeys. The tech giant, alongside Google and other industry leaders, points out that passwords represent a major security vulnerability. Despite common safeguards like two-factor authentication (2FA), account credentials can still be intercepted or compromised.

Passkeys, by contrast, bind account access to device-level security, requiring biometrics or a PIN to log in. This means there’s no password to steal, phish, or share. The FIDO Alliance explains: “passkeys are phishing resistant and secure by design. They inherently help reduce attacks from cybercriminals such as phishing, credential stuffing, and other remote attacks. With passkeys there are no passwords to steal and there is no sign-in data that can be used to perpetuate attacks.”

For users currently relying on Authenticator’s password storage, Microsoft advises moving credentials to the Edge browser or exporting them to another password manager. But more importantly, this is a chance to upgrade your key accounts to passkeys.

Authenticator will continue to support passkeys going forward. Microsoft advises: “If you have set up Passkeys for your Microsoft Account, ensure that Authenticator remains enabled as your Passkey Provider. Disabling Authenticator will disable your passkeys.”
Read more »
Website
MFA Passkeys Privacy Security Codes Website

Think Twice Before Using Text Messages for Security Codes — Here’s a Safer Way

 



In today’s digital world, many of us protect our online accounts using two-step verification. This process, known as multi-factor authentication (MFA), usually requires a password and an extra code, often sent via SMS, to log in. It adds an extra layer of protection, but there’s a growing concern: receiving these codes through text messages might not be as secure as we think.


Why Text Messages Aren’t the Safest Option

When you get a code on your phone, you might assume it’s sent directly by the company you’re logging into—whether it’s your bank, email, or social media. In reality, these codes are often delivered by external service providers hired by big tech firms. Some of these third-party firms have been connected to surveillance operations and data breaches, raising serious concerns about privacy and security.

Worse, these companies operate with little public transparency. Several investigative reports have highlighted how this lack of oversight puts user information at risk. Additionally, government agencies such as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have warned people not to rely on SMS for authentication. Text messages are not encrypted, which means hackers who gain access to a telecom network can intercept them easily.


What Should You Do Instead?

Don’t ditch multi-factor authentication altogether. It’s still a critical defense against account hijacking. But you should consider switching to a more secure method—such as using an authenticator app.


How Authenticator Apps Work

Authenticator apps are programs installed on your smartphone or computer. They generate temporary codes for your accounts that refresh every 30 seconds. Because these codes live inside your device and aren’t sent over the internet or phone networks, they’re far more difficult for criminals to intercept.

Apps like Google Authenticator, Microsoft Authenticator, LastPass, and even Apple’s built-in password tools provide this functionality. Most major platforms now allow you to connect an authenticator app instead of relying on SMS.


Want Even Better Protection? Try Passkeys

If you want the most secure login method available today, look into passkeys. These are a newer, password-free login option developed by a group of leading tech companies. Instead of typing in a password or code, you unlock your account using your face, fingerprint, or device PIN.

Here’s how it works: your device stores a private key, while the website keeps the matching public key. Only when these two keys match—and you prove your identity through a biometric scan — are you allowed to log in. Because there are no codes or passwords involved, there’s nothing for hackers to steal or intercept.

Passkeys are also backed up to your cloud account, so if you lose your device, you can still regain access securely.


Multi-factor authentication is essential—but how you receive your codes matters. Avoid text messages when possible. Opt for an authenticator app, or better yet, move to passkeys where available. Taking this step could be the difference between keeping your data safe or leaving it vulnerable.

Read more »
VPN for public Wi-Fi
AI Privacy cybersecurity tips Incogni data removal Passkeys Password Manager Protect Personal Data Technology two-factor authentication VPN for public Wi-Fi

Digital Safety 101: Essential Cybersecurity Tips for Everyday Internet Users

 9to5Mac is brought to you by Incogni: a service that helps you wipe your personal data—including your phone number, address, and email—from data brokers and people-search websites. With a 30-day money-back guarantee, Incogni offers peace of mind for anyone looking to guard their privacy.


1. Use a Password Manager

The old advice to create strong, unique passwords for each website still holds true—but is only realistic if you use a password manager. Fortunately, Apple’s built-in Passwords app makes this easy, and there are many third-party options too. Use these tools to generate and save complex passwords every time you sign up for a new service.

2. Update Old Passwords

Accounts created years ago may still have weak or repeated passwords. This makes you vulnerable to credential stuffing attacks—where hackers use stolen logins from one site to access others. Prioritize updating your passwords for financial services, Apple, Google, Amazon, and any accounts that have already been compromised. To check this, enter your email on Have I Been Pwned.

3. Enable Passkeys Where Available

Passkeys are becoming the modern alternative to passwords. Instead of storing a traditional password, your device uses Face ID or Touch ID to verify your identity, and only sends confirmation of that identity to the site—never the actual password. This reduces the risk of your credentials being hacked or stolen.

4. Use Two-Factor Authentication (2FA)

2FA provides an added layer of security by requiring a rolling code each time you log in. Avoid SMS-based 2FA—it's prone to SIM-swap attacks. Instead, opt for an authenticator app like Google Authenticator or use the built-in support in Apple’s Passwords app. Set this up using the QR code provided by the service.

5. Monitor Last Login Activity

Some platforms, especially banking apps, show the date and time of your last login. Get into the habit of checking this regularly. Unexpected logins are an immediate red flag and could signal that your account has been compromised.

6. Use a VPN on Public Wi-Fi

Public Wi-Fi networks can be unsafe and vulnerable to “Man-in-the-Middle” (MitM) attacks. These involve a rogue device impersonating a Wi-Fi hotspot to intercept your internet traffic. While HTTPS reduces the risk, using a VPN is still the best protection. Choose a trusted provider that maintains a no-logs policy and undergoes third-party audits. “I use NordVPN for this reason.”

7. Don’t Share Personal Info With AI Chatbots

Conversations with AI chatbots may be stored or used as training data. Avoid typing anything sensitive, such as passwords, addresses, or identification numbers—just as you wouldn’t post them publicly online.

8. Consider Data Removal Services

Your personal information may already be listed with data brokers, exposing you to spam and scams. Manually removing this data can be tedious, but services like Incogni can automate the process and reduce your digital footprint efficiently.

9. Verify Any Request for Money

If someone asks for money—even if it looks like a friend, family member, or colleague—double-check their identity using a separate communication method.

“If they emailed you, phone them. If they phoned you, email or message them.”

Also, if you're asked to send gift cards or wire money, it's almost always a scam. Be especially cautious if you're told a bank account has changed—confirm directly before transferring funds.
Read more »
Technology
Authentication Cybersecurity Digital Identity Encryption Passkeys Passwordless Technology

Hawcx Aims to Solve Passkey Challenges with Passwordless Authentication

 


Passwords remain a staple of online security, despite their vulnerabilities. According to Verizon, nearly one-third of all reported data breaches in the past decade resulted from stolen credentials, including some of the largest cyberattacks in history.  

In response, the tech industry has championed passkeys as a superior alternative to passwords. Over 15 billion accounts now support passkey technology, with major companies such as Amazon, Apple, Google, and Microsoft driving adoption.

However, widespread adoption remains sluggish due to concerns about portability and usability. Many users find passkeys cumbersome, particularly when managing access across multiple devices.

Cybersecurity startup Hawcx is addressing these passkey limitations with its innovative authentication technology. By eliminating key storage and transmission issues, Hawcx enhances security while improving usability.

Users often struggle with passkey setup and access across devices, leading to account lockouts and costly recovery—a significant challenge for businesses. As Dan Goodin of Ars Technica highlights, while passkeys offer enhanced security, their complexity can introduce operational inefficiencies at scale.

Hawcx, founded in 2023 by Riya Shanmugam (formerly of Adobe, Google, and New Relic), along with Selva Kumaraswamy and Ravi Ramaraju, offers a platform-agnostic solution. Developers can integrate its passwordless authentication by adding just five lines of code.

Unlike traditional passkeys, Hawcx does not store or transmit private keys. Instead, it cryptographically generates private keys each time a user logs in. This method ensures compatibility with older devices that lack modern hardware for passkey support.

“We are not reinventing the wheel fundamentally in most of the processes we have built,” Shanmugam told TechCrunch.

If a user switches devices, Hawcx’s system verifies authenticity before granting access, without storing additional private keys on the new device or in the cloud. This approach differs from standard passkeys, which require syncing private keys across devices or through cloud services.

“No one is challenging beyond the foundation,” Shanmugam said. “What we are challenging is the foundation itself. We are not building on top of what passkeys as a protocol provides. We are saying this protocol comes with an insane amount of limitations for users, enterprises, and developers, and we can make it better.”

Although Hawcx has filed patents, its technology has yet to be widely deployed or independently validated—factors that could influence industry trust. However, the company recently secured $3 million in pre-seed funding from Engineering Capital and Boldcap to accelerate development and market entry.

Shanmugam revealed that Hawcx is in talks with major banks and gaming companies for pilot programs set to launch in the coming weeks. These trials, expected to run for three to six months, will help refine the technology before broader implementation. Additionally, the startup is working with cryptography experts from Stanford University to validate its approach.

“As we are rolling out passkeys, the adoption is low. It’s clear to me that as good as passkeys are and they have solved the security problem, the usability problem still remains,” Tushar Phondge, director of consumer identity at ADP, told TechCrunch.

ADP plans to pilot Hawcx’s solution to assess its effectiveness in addressing passkey-related challenges, such as device dependency and system lockups.

Looking ahead, Hawcx aims to expand its authentication platform by integrating additional security services, including document verification, live video authentication, and background checks.

Read more »
Password Hacking
Authentication Cyber Security Google security hardware vulnerabilities Passkey Security Passkeys Password Hacking

Why Passkeys Are the Future of Digital Authentication

 

Passwords have been a fundamental aspect of digital security for years, but they come with significant drawbacks. They are not only a hassle to remember but also vulnerable to various hacking techniques. Passkeys have emerged as a robust alternative, offering a more secure and user-friendly approach to account authentication. This new method utilizes your device, such as a smartphone or laptop, as an authenticator, employing either a PIN or biometric verification like fingerprint or facial recognition. 

The primary advantage of passkeys is that they eliminate the need for passwords entirely. This reduces the risk of phishing attacks, as there is no password for hackers to steal or guess. Additionally, passkeys are tied to the user’s device, making unauthorized access much more difficult. Without passwords to remember, users can enjoy a more streamlined and secure login experience. Major tech companies are already supporting the adoption of passkeys. For instance, setting up passkeys on a Google account involves visiting the Google Passkeys page and configuring the passkey with your device. Microsoft accounts can similarly be secured with Windows Hello or a PIN. Apple integrates passkeys with iCloud Keychain, making it easy for users to transition. These companies are not alone. Other platforms like Amazon, Adobe, Discord, eBay, GitHub, LinkedIn, Shopify, and WhatsApp have also embraced passkeys. 

This widespread support highlights the growing recognition of passkeys as the future of digital security. One concern with passkeys is the potential for losing access if the device is lost. Fortunately, most major tech companies allow passkeys to be synced across devices or securely stored in the cloud with end-to-end encryption. This means that users can restore their passkeys on a new device if their original one is lost. 

However, if a hardware security key is lost and not backed up, access to accounts could be permanently lost. Despite these concerns, device-based authentication is inherently secure. Modern devices are equipped with advanced security measures that make unauthorized access extremely difficult. Even if a device is stolen, the thief would need to bypass biometric or PIN verification to access sensitive information. Passkeys are stored in a Trusted Platform Module (TPM), ensuring that they are securely protected. In summary, passkeys represent a significant advancement in digital security. 

They offer a more secure, user-friendly alternative to traditional passwords, addressing many of the vulnerabilities associated with password-based authentication. As more services and devices adopt this technology, passkeys are poised to become the standard for secure online access. This shift not only enhances security but also simplifies the user experience, making it easier for individuals to protect their digital identities.
Read more »
User Privacy
Cyber Security Data Safety Passkeys Passkeys authentication User Privacy

Here's Why Passkeys is a Reliable Option to Safeguard Your Data

 

We all use way too many passwords, and they are probably not very secure. Passkeys are the next step in password technology, aiming to replace passwords with a more secure alternative.

Trouble with passwords 

For a long time, we used usernames and passwords to access websites, apps, and gadgets. A fundamental issue with passwords is that their creators are largely to blame. You have to remember the password, thus it's easy to fall into the trap of using real words or phrases. It's also fairly typical to use the same password across several websites and apps in favour of having unique passwords for each one. 

Although it is obviously not very safe, many individuals continue to use passwords like their birthday or the name of their pet. If they are successful, they can attempt it in every other place you use the same password. Using two-factor authentication and special passwords is essential as a result of this. Password managers, which produce random character strings for you and remember them for you, have been developed to solve this issue. 

Passkey vs. password: What distinguishes them 

Over time, not much has changed with regard to the login and password system. Think of passkeys as a full-fledged alternative for the outdated password system. Basically, the process you use to unlock your phone is the same one you use to sign into apps and websites. 

It is among the fundamental distinctions between passkeys and conventional passwords. All locations where Facebook is accessible accept your Facebook password. On the other hand, a passkey is bound to the machine where it was made. The passkey is far more secure than a password because you're not generating a universal password. 

The same security process can be employed to verify a QR code you scanned with your phone to log in on another device. There are no passwords used, thus nothing can be stolen or leaked. Because you must sign in with your phone in hand, you don't need to be afraid about a stranger across the nation using your password.

Device compatibility

Passkeys are still very new, but they already work with all the best phones and a majority of the best laptops. This is because the tech behemoths Microsoft, Google, Apple, and others collaborated to create them using the FIDO Alliance and W3C standards. 

Apple launched passkeys to the iPhone with the release of iOS 16 in the previous fall. Passkeys eliminates the need for a master password on its devices by using TouchID and FaceID for authentication. Here's how to set up passkeys on an iPhone, iPad, or Mac if you want to try them out for yourself. 

Your passkeys are stored and synchronised using the Google Password Manager if you have one of the top Android phones or an Android tablet. If you want to use passkeys with it, you must first enable screen lock on your Android device, as this stops people with access to your smartphone from utilising your passkeys.

In both Windows 10 and Windows 11, you can use Microsoft's Windows Hello to sign into your accounts using passkeys. Because your passkeys are linked to your Microsoft account, you may use them on any device as long as you're signed in.

Regarding your web browser, passkeys are currently supported by Chrome, Edge, Safari, and Firefox. For Chrome/Edge, you must be using version 79 or above, for Safari, version 13 or higher, and for Firefox, version 60 or higher.
Read more »
secure login
Biometric Authentication Cyber Security Digital Security encryption technology FIDO Alliance innovative authentication Passkeys password alternatives password-free future secure login

Passkeys & Passwords: Here's Everything You Need to Know

In a world tired of grappling with the complexities and vulnerabilities of traditional passwords, a transformative solution is emerging. Despite the advancements offered by the latest password managers, passwords remain a persistent pain and a significant security risk if compromised. However, a paradigm shift is underway, with innovative alternatives like passkeys gradually replacing the age-old password dilemma.

The passkeys, a cutting-edge form of encryption technology designed to streamline the login experience for devices, apps, and services. Developed by the collaborative efforts of major tech, finance, and security giants such as Apple, Google, Microsoft, and others, the FIDO Alliance aims to usher in a future where passwords become obsolete.

Diverging from conventional passwords, passkeys consist of private and public keys, intricate codes that enhance security. The private key, residing securely on the user's device, provides a foolproof means of access. On the other hand, the public key, stored on company servers, reveals minimal information, rendering it useless if stolen. The FIDO Alliance's ultimate goal is to alleviate the challenges associated with password protection and drive towards a more secure future.

Is a passkey more secure than a traditional password? 

In essence, yes. Passkeys eliminate the need for users to memorize passwords and mitigate the risk of weak passkeys being compromised. In the event of a data breach, the public keys alone are insufficient for unauthorized access. Moreover, passkeys often incorporate biometrics, such as facial recognition or fingerprints, to verify the user's identity, adding an extra layer of security.

The benefits of passkeys extend beyond security. Quick to set up and use, passkeys minimize the need for physical inputs, enabling convenient features like swipe-to-pay and secure digital wallets. Users are freed from the burden of remembering complex passwords or master passwords for password managers.

To obtain a passkey, users are prompted to set up a Personal Identification Number (PIN) or utilize biometric information, such as fingerprints or facial recognition. While passkeys offer significant benefits, they are not yet universal. Companies within the FIDO Alliance, such as PayPal, Google, and Microsoft, are more likely to adopt passkey technology, but widespread acceptance is still in its nascent stages.

Despite the advantages of passkeys, traditional passwords endure due to their simplicity, universality, and cost-effectiveness. Passwords do not require the intricate tech infrastructure needed by passkeys, making them a more affordable option for businesses. Moreover, passwords are universally understood and can be used across different devices and browsers.

While passkeys are revolutionizing cybersecurity, they are not replacing password managers. Notable password managers like LastPass and Dashlane, also part of the FIDO Alliance, leverage WebAuthn technology to secure passwords and other essential security information.

Overall, passkeys represent a promising future for enhanced cybersecurity, addressing the shortcomings of traditional passwords. As this groundbreaking technology gains wider acceptance, users are encouraged to embrace passkeys for heightened security and convenience in their digital interactions. The era of password-free security is on the horizon, and passkeys are leading the way.
Read more »
WebAuthn standard
authentication methods Biometric data Cyber Security Identity verification login success rate Online Authentication Online Security Passkeys password strength Passwords user-friendly WebAuthn standard

Passkeys vs Passwords: The Future of Online Authentication

 

In the realm of online security, a shift is underway as passkeys gain traction among tech giants like Apple, Google, Microsoft, and Amazon. 

These innovative authentication methods offer a more seamless login experience and bolster cybersecurity against threats like malware and phishing. However, traditional passwords still hold their ground, allowing users to retain control over their security preferences.

A password is a unique combination of characters, including upper and lower case letters, numbers, and symbols, used to verify a user's identity. While originally designed to be memorized or manually recorded, they can now be securely stored online with tools like NordPass.

Passkeys, the technologically advanced successors to passwords, rely on PINs, swipe patterns, or biometric data (such as fingerprints or facial scans) for identity verification. They leverage the WebAuthn standard for public-key cryptography, generating a unique key pair on user devices, making them impervious to theft or forgetfulness.

Passkey vs Password: Security Comparison

Passkeys and passwords vary fundamentally in design, approach, and effectiveness in securing accounts. Here are some key distinctions:

Cybersecurity:

Passwords are susceptible to hacking, especially those with fewer than 10 characters. Passkeys, on the other hand, utilize biometric data and cryptographic methods, drastically reducing vulnerability. Only with access to the user's authenticator device and biometric information can a passkey be breached.

Convenience:

Creating, recalling, and managing complex passwords can be arduous and time-consuming, leading to 'password fatigue.' Passkeys, once set up, facilitate quick and seamless authentication, eliminating the need to remember multiple passwords.

Login Success Rate:

Passkeys have a significantly higher success rate compared to passwords. Recent data from Google revealed that while passwords succeed only 13.8% of the time, passkeys boasted a success rate of 63.8%.

Popularity:

Although passkeys are gaining traction, they are not yet universally supported. Familiarity with passwords and concerns over passkey error handling and biometric privacy contribute to their slower adoption.

The Evolution of Authentication

While passkeys represent a significant leap forward in security and user-friendliness, the demise of passwords is a gradual process. The established dominance of passwords, spanning over half a century, requires a patient transition. Behavioral habits and the need for technological refinement play pivotal roles in this shift.

Presently, passkey usage is seldom mandatory, allowing users to choose their preferred verification method. For sites exclusively supporting passwords, outsourcing password management is advisable, with various free tools available to assess password strength.

In conclusion, the future of online authentication is evolving towards passkeys, offering a more secure and user-friendly experience. However, the transition from passwords will be a gradual one, shaped by technological advancements and user behavior.
Read more »
User Security
Cyber Security Data Safety Passkeys Password Management User Security

Here's Why Passkeys is a Good Option to Safeguard Your Data

 

The future belongs to passkeys. Even though you may not be using them yet, the time is quickly approaching when we won't need to create or remember passwords and will only need to use our username and biometrics to log in. 

However, it's evident from recent discussions with people outside of the tech sector that most customers don't even comprehend passkeys, much less trust them to safeguard their sensitive information and identities.

A passkey, in its simplest form, is an encrypted identity system that is localised and frequently employs biometrics for authentication. When you log in again, the system that you created the passkey for will read your shared user ID and request authentication (the passkey). The biometric security system you now have on your computer or phone can then be used for authentication. This might be an iris scan, facial recognition, or fingerprint. 

The system you are login into or yours does not ask for a password at any point during this process. To put it more tactically, let's say you go to Gmail and type in your user ID. After the mail platform accepts the ID, it issues a challenge that your passkey must locally answer in order to return a signature. The system can now request the biometric authentication that you previously configured on your laptop or phone. This page explains how passkey registrations and logins work. 

All I've explained takes place in a matter of seconds and doesn't require you to remember your login information or even have access to a password manager. 

Passkeys are powered by cryptographic wizardry that is concealed and never forces you to think about it, even if the backend system that manages all of this is quite complex and much beyond the comprehension of most users.

It's interesting to note that some customers still don't trust this level of protection since they think their phones could be stolen and used to access their accounts. This is untrue since the perpetrator would still want your fingers, face, or eyes. Yes, there is always the awful chance that someone will steal those pieces, but it is a very slim one. 

In the IT sector, there is a general consensus that passwords constitute a weak security system. One strong master password may not be the only password manager that puts you at risk. It's possible that those passwords are no longer secure after some of them have been hacked. Additionally, you are once again at risk if the password that secures the system is compromised.

Clearly, it's not just customers. Industries, institutions, and industries are suffering as a result of frequent ransomware attacks. Many of them begin with social engineering emails and then move on to other things like installing keystroke sniffing software, which allows them to track users as they input their passwords and IDs. But what if you never input a password? The ransomware attack could be thwarted before it starts. There is no other logical solution except a passwordless system.
Read more »
WhatsApp security features
Biometric Authentication cryptographic keys Cyber Security Passkey Security Passkeys Passkeys authentication WhasApp WhatsApp security features

WhatsApp Announces Passkey Support for its Users


The modern digital landscape is witnessing an upsurge in cybercrime activities, and users can no longer rely on strong passwords to protect themselves. 

Thankfully, even on the best low-cost Android phones, biometric authentication is becoming mainstream and easily accessible. This has led to the adoption of passkeys for user authentication by a number of well-known social networking platforms and password manager apps. WhatsApp is the newest application to offer passkey support for all of its users after a month of beta testing. 

Passkeys replace conventional passwords with a unique cryptographic key pair, such that only the users can log in. Only after a successful biometric authentication, the key is made accessible to the respective users, negating the requirement for two-factor authentication techniques like OTP distribution through SMS and email. Passkeys shield users from the risks associated with password reuse and phishing attacks. Google disclosed the new technology supports more rapid user authentication after revealing support for passkey storage in its password manager.  

WhatsApp’s effort in adopting passkey technology came to light in early August. Also, beta testing on the same commenced in late September. 

Now, around a month later, WhatsApp announced support for passkeys was coming in the stable channel on X (formerly Twitter). The feature makes the login process significantly more secure by taking the place of the one-time password (OTP) sent via SMS. The app enables users to authenticate themselves using screen lock options, including their on-device fingerprint, face unlock, PIN, or swipe pattern. In the meantime, Google Password Manager automatically stores the cryptographic key. 

The login system, with no password requirement, turns out to be quite time-efficient for users when they are setting up WhatsApp on a new phone. Commendable enough, WhatsApp is also explaining to online users how passkeys work, in order to secure their accounts.  

Moreover, it is important for users to see the difference between passkeys for logging into WhatsApp and in-app features like WhatsApp chat lock, which still requires biometric authentication. Importantly, passkeys and passwords for traditional user authentication will both be available on WhatsApp.

However, WhatsApp has not yet clarified whether the feature will be made immediately accessible everywhere. Nonetheless, Passkey support, like every other major WhatsApp feature, is anticipated to be implemented gradually in the stable channel. But it is still great to see WhatsApp reiterate its dedication to user security and privacy with features like this.  

Read more »
Password Security
Cyber Security data security FIDO Passkeys Password Security

Passkeys: Your Safe Vault for Data Security


Passwords need to be fixed. They're difficult to remember and simple to guess, and protecting them from threat actors is a hassle. To take care of this issue, the Fast Identity Online Alliance (FIDO) created passkeys, a type of passwordless authentication tech. Passkeys take out the need to enter your email address or secret key into login handles around the web, making it harder for threat actors to take your credentials and get into your data.

What is a Passkey?

A passkey is a way of signing in to applications and sites without using a username and secret word mix. It's a couple of cryptography keys created by your gadget. Public and confidential keys squeeze to make a passkey that opens your record. Applications or sites store your unique public key. Your confidential key is just put away on your device, and after your device authenticates your identity, the two keys join to allow you to log in to your record.

Advantages of Passkeys

Passkeys have a lot of advantages; for instance, they can't be assumed or shared. Passkeys are safe from phishing attempts since they're unknown to the destinations they're made for, so they won't chip away at fake carbon copy locations. In particular, if your info is ever leaked, your passkeys can't be taken by hacking into an organization's server or data set, making the information taken out in such hacks less important to threat actors

The most effective method to Get Passkeys

Passkeys are one of a kind to each application or site and are put away in a secret phrase director's vault or your device’s keychain. Normally, the device or programming producing the passkeys uses a biometric verification instrument, like FaceID or TouchID, to confirm your identity. On the off chance that a secret hint is the passkey source, you can sign in to the application using areas of strength for a secret word rather than biometric verification.

Passkeys: Where can we use them?

Many websites, including Best Buy, eBay, Google, Kayak, and PayPal, support passkeys. 1Password, a password management company, has a community site where users may report websites that allow passkey logins. Some of the sites on that list still require a standard username and password for initial account creation and logins, such as Adobe.com, but you can set up a passkey to use for future logins by accessing the Settings menu.


Read more »
Unauthorized access
Cyber Security Google MFA Passkeys Password Theft Security threats Unauthorized access

The Challenges with Passkeys: Addressing Limitations

Passkeys have become a popular method for authentication, offering an alternative to traditional passwords. However, despite their advantages, there are several key issues that need to be addressed. This article explores the problems associated with passkeys and the need for further improvements in authentication methods.

Passkeys, often referred to as passwordless authentication, aim to provide a more convenient and secure way to access accounts and devices. Unlike passwords, which can be forgotten, stolen, or easily guessed, passkeys utilize unique characteristics of the user's device, such as biometrics or hardware-based keys, to grant access.

One of the primary concerns with passkeys is their reliance on specific devices or platforms. For instance, a passkey that works on an Android device might not be compatible with an iOS device or a different operating system. This lack of cross-platform compatibility limits the usability and convenience of passkeys, as users may need multiple passkeys for different devices or services.

Additionally, passkeys are vulnerable to potential security risks. While they eliminate the need for passwords, which are often weak and prone to hacking, passkeys are not immune to threats. If a passkey is compromised, it could lead to unauthorized access to the associated account or device. Furthermore, if the passkey is stored insecurely, such as in the cloud or on an easily accessible device, it could be accessed by malicious actors.

Another challenge is the adoption and support of passkeys across various platforms and services. Although major tech companies like Google have introduced passkey support, it requires widespread adoption from service providers and developers to offer a seamless experience for users. If passkey support remains limited, users may still need to rely on traditional password-based authentication methods.

To address these issues, further advancements in passkey technology and authentication methods are necessary. First and foremost, there should be greater collaboration between tech companies and service providers to establish standardized protocols for passkey implementation. This would enable interoperability across different platforms, making passkeys more accessible and user-friendly.

Enhancing the security of passkeys is also critical. Additional layers of protection, such as multi-factor authentication, can be integrated with passkeys to add an extra level of security. This could include biometric verification, device attestation, or behavioral analysis to ensure the legitimacy of the user.

Furthermore, educating users about the importance of passkey security and best practices is crucial. Users need to understand the risks associated with passkeys and be encouraged to store them securely, preferably using hardware-based solutions or secure vaults.

Read more »
User Privacy
Cyber Security Online Safety Passkeys Password Password Manager User Privacy

Passkeys: A Modern Solution For All Your Password Troubles

 

We all use far too many passwords, and they're probably not all that secure. Passkeys are the next development in password technology and are intended to replace passwords with a more secure approach. 

Password troubles 

For a very long time, we have used usernames and passwords to sign in to websites, apps, and gadgets. 

A serious issue with passwords is that nearly entirely their creators are to fault. You must remember the password, thus it's easy to fall into the trap of using real words or phrases. It's also fairly typical to use the same password across several websites and apps in favour of having unique passwords for each one. 

Although it is obviously not very safe, many individuals continue to use passwords like their birthdate or the name of their pet. If they are successful, they can attempt it in every other place you use the same password. Using two-factor authentication and special passwords is essential as a result of this. Password managers, which produce random character strings for you and remember them for you, have been developed to solve this issue. 

Passkey vs. password: What distinguishes them

Over time, not much has changed with regard to the login and password system. Think of passkeys as a full-fledged alternative for the outdated password system. Basically, the process you use to unlock your phone is the same one you use to sign into apps and websites. 

It is among the fundamental distinctions between passkeys and conventional passwords. All locations where Facebook is accessible accept your Facebook password. On the other hand, a passkey is bound to the machine where it was made. The passkey is far more secure than a password because you're not generating a universal password. 

The same security process can be used to verify a QR code you scanned with your phone to log in on another device. There are no passwords used, thus nothing can be stolen or leaked. Because you must sign in with your phone in hand, you don't need to be afraid about a stranger across the nation using your password. 

Device compatibility 

Passkeys are still very new, but they already work with all the best phones and a majority of the best laptops. This is because the tech behemoths Microsoft, Google, Apple, and others collaborated to create them using the FIDO Alliance and W3C standards. 

Apple introduced passkeys to the iPhone with the release of iOS 16 in the previous fall. Passkeys eliminates the need for a master password on its devices by using TouchID and FaceID for authentication. Here's how to set up passkeys on an iPhone, iPad, or Mac if you want to try them out for yourself.

Your passkeys are stored and synchronised using the Google Password Manager if you have one of the top Android phones or an Android tablet. If you want to use passkeys with it, you must first enable screen lock on your Android device, as this stops people with access to your smartphone from utilising your passkeys. 

In both Windows 10 and Windows 11, you can use Microsoft's Windows Hello to sign into your accounts using passkeys. Because your passkeys are linked to your Microsoft account, you may use them on any device as long as you're signed in.

Regarding your web browser, passkeys are currently supported by Chrome, Edge, Safari, and Firefox. For Chrome/Edge, you must be using version 79 or above, for Safari, version 13 or higher, and for Firefox, version 60 or higher.
Read more »
WebAuthn
Cyber Security data security Passkeys Password User Privacy WebAuthn

Goodbye, Passwords; Here is What Will Happen Next

 

We all have way too many passwords, and they probably are not nearly as secure as we believe. Passkeys are the next step in the evolution of passwords and aim to make passwords obsolete in favour of a more secure system. 

Password issues

We have been logging into websites, apps, and devices using usernames and passwords for a very long time. The idea is straightforward: You choose a username — often just your email address — and pair it with a special password that (ideally) only you know. 

Passwords pose a significant problem, and almost exclusively their creators are to blame. It's simple to fall into the trap of using real words or phrases because you have to remember the password. Instead of using different passwords for each website or app, it's also very common to use the same password in multiple places. 

Using your birthdate or the name of your pet as a password is obviously not very secure, but many people still do it. Then, if they succeed, they can try it in all the other places you used the same password. Because of this, it is critical to use two-factor authentication and unique passwords. This problem has been addressed by password managers, which generate random strings of characters for you and remember them for you. Although that is an improvement over creating your own plain language passwords, there is still room for growth. bring up passkeys. 

Difference between a passkey and a password

The username and password system hasn't changed much over the years. Consider passkeys to be a complete replacement for the antiquated password system. To sign into apps and websites, you basically use the same method you use to unlock your phone. 

That is one of the most significant differences between traditional passwords and passkeys. Your Facebook password is valid everywhere Facebook is accessible. A passkey, on the other hand, is tied to the device on which it was created. Because you're not creating a password that can be used anywhere, the passkey is much more secure. 

You can use the same security procedure to authenticate a QR code scanned from your phone to sign in on another device. Nothing can be leaked or stolen because there are no passwords used. You don't need to be concerned about a stranger across the country using your password because you must sign in with your phone in hand. 

Passkeys are an industry standard that is based on WebAuthn. Apple, Google, and Microsoft have joined the FIDO Alliance to work on eliminating passwords for authentication. Passkeys are the way of the future. 

 Should You Use Passkeys? 

Passkey usage is only now beginning to become more common as of the time of this writing. As previously mentioned, passkeys are supported by Apple, Google, and Microsoft. In addition, 1Password, Dashlane, PayPal, eBay, Best Buy, Kayak, and GoDaddy support them. Support is continually being added by more businesses. 

But the situation is more complex than that. You also need a browser that is compatible with websites. You'll need to use Apple Safari or Google Chrome to create a passkey for Best Buy.

You also need a password manager and an operating system that are both compatible. That is Keychain in the Apple universe. It is Password Manager or a third-party app for Google. Windows Hello is Microsoft's. 

As you can see, there are a number of layers of compatibility required, but passkey adoption is still in its infancy. You do not need to worry about any of that as a user. If a service supports the feature and you are using a compatible device, the service will ask you if you'd like to create a passkey. 

It's simple to decide to try using a passkey if you have the option. It is not only much simpler to use, but also more secure. It is more convenient to scan your fingerprint or use your Face ID to log into a website than it is to type cumbersome passwords. A passwordless future is here.
Read more »
Subscribe to: Comments (Atom)