What is a passkey and why is it better than a password?
The UK’s National Cyber Security Centre (NCSC) has declared that passwords are no longer sufficient for modern digital security. Instead, they recommend using passkeys wherever possible. This new login method for apps and websites, stored on users’ devices, provides stronger security and is resistant to phishing and data breaches.
What is a passkey?
Security officials describe a passkey as a “digital stamp” that allows you to sign in to apps and websites, stored on your device. Unlike a password, it cannot be stolen in a phishing attack. To log in, your smartphone or device confirms your identity using biometric methods such as facial recognition or your phone’s PIN. This triggers the secure passkey, which verifies your identity to the app or website. Each account has a unique passkey. Even if a service using passkeys is breached, the attacker gains nothing because the device holds the private key needed for login. Passkeys can also be synced across devices.
How do you set up a passkey?
The NCSC advises going to account security or privacy settings on apps and websites you already use, or look for prompts from services offering passkey upgrades. You may also set one up when creating a new account. Google reports that just over 50% of its UK users have a passkey registered.
Why are passkeys beneficial?
Passkeys eliminate the risks associated with passwords, which can be stolen via phishing emails or found on the dark web. Last year, researchers at Cybernews discovered billions of login credentials in datasets, highlighting the need for stronger security measures. Dave Chismon, a senior tech expert at the NCSC, stated: “Passwords have never been a perfect solution because we need to keep adding things to try and make them more secure. Yet, they are still phishable and the extra security involved makes users’ lives harder. Whilst the technology is complex, for a user passkeys are quicker and simpler than remembering a password or going through two-factor authentication.”
Is facial recognition vulnerable?
Bypassing biometric checks on a device is difficult. Alan Woodward, a professor of cybersecurity at Surrey University, explains that facial recognition has improved significantly. “It’s not just the recognition algorithms that have become better but devices now include ‘proof of liveness’ to stop images being used. As with all cybersecurity, it’s a game of whack-a-mole. Hackers’ ploys improve, and the countermeasures also improve.” However, there could be an issue if someone knows your phone PIN. Experts recommend keeping your PIN private, even from family members.
What other precautions should people follow?
A major threat to personal cybersecurity is user behaviour. Chismon notes: “Most attacks against individuals still happen because of a lack of basic cyber-hygiene – getting the fundamentals right really does work.” Recommendations include using passkeys or, if using passwords, enabling two-factor authentication. Always use strong passwords, especially a strong and separate one for your email account. Use a password manager to create and store passwords securely. Regularly update apps and operating software. Avoid phishing attacks by not clicking on suspicious emails, links, or attachments. The most common passwords globally, such as “123456”, “admin”, and “password”, are a godsend for hackers. If you use such passwords, passkeys are definitely for you.
