Eliminate passwords with Passkeys

Eliminate passwords with Passkeys


Referreport

Secure passwords are good, passkeys are better. No matter how secure your password is, it can be stolen and, given enough time, cracked. Passkeys replace password login with a key exchange from smartphone to PC. This means hackers no longer have a chance.

FIDO: Google, Apple and Microsoft want to abolish passwords

Passwords are internationally used as a standard for logging into websites, apps and much more. Only those who know the username and password can gain access. But in order to have a separate, secure password for each site, users need password managers on all their devices. This is too complicated for many, so they usually use the same, often insecure passwords on all sites. This makes it easy for cybercriminals to exploit them. And even secure, individual passwords are not perfect protection, as hackers steal them or crack them using brute force attacks. Until now, however, there was no easy alternative. Google, Microsoft, Apple and many other companies are now changing this: FIDO passkeys are intended to make logging in easier and more secure!

Passkeys available on many sites

Almost all major websites now offer login via passkeys. Recently, for example, Microsoft made it possible Passwordless login for private Microsoft accounts. The software giant is in good company, as passkeys also work with the following providers:

  • Google: Passkeys can be used for Google services and when using the Google third-party login.
  • Apple: The same applies to Apple services and the Apple login.
  • PayPal
  • Nintendo
  • Enpass
  • 1Password
  • Whatsapp
  • eBay
  • Roblox
  • Shopify
  • Github
  • DocuSign

What is FIDO?

FIDO is an alliance of hundreds of companies worldwide that has developed a more secure login process and wants to spread it as an alternative to passwords. Well-known members include Google, Apple and Microsoft, as well as PayPal, Visa, Mastercard, Amazon, Samsung and many more. The FIDO login process uses standard encryption methods in a user-friendly way to enable secure logins. The user only tells a website or app that he wants to log in and confirms this on his smartphone. A password is not required.

How do FIDO passkeys work?

In order to use FIDO, the service you want to log in to must support it. Similar procedures have already been used by other providers, but this usually required an authenticator app. This is no longer necessary, as Google, Microsoft and Apple have created the conditions for using FIDO in their operating systems. The user registers with a service as before and enters all the necessary data. Instead of a password, the site generates a key pair for the Public key authenticationThe public key is stored on the server, the private key is only stored with the user – either in a corresponding app or directly in the operating system. If the user wants to log in later, the website or app sends a corresponding request for the private key. The user only sees this through a confirmation query on their smartphone. They confirm this with a fingerprint, PIN or Face ID, everything else is handled by the operating system in the background.

What advantages does FIDO have for users?

  • The user no longer needs to think up and remember passwords.
  • Passwords can no longer be stolen – neither from the user nor from the provider, as both keys are always required for a login. If a hacker steals the public key on a website, he is missing the private counterpart. This cannot be generated from the public key either. If criminals manage to steal a user’s private keys, they first have to recognize them as such – the keys are cryptic character strings – and then still don’t know which websites they are for. In addition, they are missing the associated smartphone.
  • The keys are automatically secure and cannot be guessed.
  • Logging in is now easier: just confirm on your smartphone and you’re done, no more searching for your password, no “forgotten password” function, no confirmation by email.

Do passkeys work across devices?

Anyone who has logged in to a website on their work Mac will of course want to be able to continue doing so on their private Android smartphone. The FIDO keys are therefore saved in your Google, Microsoft or Apple account and, if necessary, the operating system creates a copy of the key in order to transfer it to the other operating system worlds. When switching between worlds, additional confirmation may therefore be necessary. The rest works automatically. It should even be possible for you to log in to a website on a friend’s PC; your smartphone will be automatically recognized via Bluetooth and you only have to confirm.

Up to 70 percent discount on Norton protection programs

to offer

Will existing registrations be transferred?

Providers that support FIDO will create options for converting existing accounts to FIDO. How exactly this works and whether this also replaces the insecure password depends on the provider.

What happens if the smartphone is lost?

Since the passkeys are stored in the user accounts of Apple, Microsoft and Google, they can be restored if the smartphone is stolen or damaged, so you don’t have to worry about being locked out of your accounts at some point.

Passkeys in password managers

Many password managers – such as test winners NorthPass – now also offer to store your passkeys in addition to passwords. This gives you additional protection if your smartphone is ever lost.

How to switch

If you want to switch to passkey login with an online account, first activate the passkey function there. You can find this in the account settings of the services they offer. Follow the instructions to set up the passkeys. You can then log in with passkeys, but also still with the password. This means that no additional security has been gained. Nevertheless, try it out for a few days on all your devices to make sure that everything works. If this is the case, delete your password from the user account. This also works in the account settings. Microsoft, for example, offers a Instructions to remove the password from the Microsoft account. Only then will it be significantly more secure.

Source: German