Be sure you, and your IT team, know about passkeys. Passkeys are the future, and the future is arriving now.

Passkey authentication can be configured to be very secure based on four conditions:

1. You must have your mobile device with you. (An attacker is unlikely to have the device with them.)
2. You must be able to log in to your mobile device using facial recognition, a fingerprint, PIN, pattern, USB token, etc. Some people call passkeys a “Face” or “Fingerprint” sign-in.
3. Your device must have a unique key assigned to you that ties to a unique key at the site or application.
4. If you log into a site or application from a computer, the mobile device must be physically close to the computer where you’re logging in.

Passkeys are new, and there is varying support for specific browsers, operating systems, and devices.

Tips for Using Passkeys:

1. Start setting passkeys up on your mobile device, such as a smartphone, before you use your computer.
2. If the website or application does not allow you to set up a passkey on your computer:
   • Look for and select an option on the computer that says, “Use a passkey to log in,” Your computer will display a QR code image.
   • Use your phone’s camera to scan the QR code image displayed on your computer.
   • After scanning the QR code, your phone completes the passkey login process.
3. It’s essential to confirm that passkeys work on all devices and browsers before disabling the old login method for each website or application. This way, you can avoid problems accessing your account if the passkey login method doesn’t work on some of your devices or browsers.

As the adoption is just starting, you might discover limitations or frustrations, but they’ll disappear soon. Some people have great luck experimenting with setting up their first passkey at best buy dot com even if they don’t shop there.

Apple uses the Apple Keychain to store a passkey that should work on all your Apple devices after enrolling one. Google uses the Google Password Manager in the Chrome browser and Android. Microsoft uses Microsoft Hello. Some password managers store keys.

Mobile device backups and some password managers are designed to back up the passkeys in case you lose your phone. If you do lose your phone, it is a good idea to go to the apps and sites to set up a new key and disable your old key. One concern is that, if an attacker can access your backups or the passkey manager and obtain a key from there, they might find a way to bypass passkey protection. But that doesn’t necessarily make passkeys less secure than other authentication methods; they may well be the best protection available when implemented properly since they offer so many benefits:

1. Users cannot be tricked into giving away passkey values they do not know in social engineering and phishing attacks.
2. Since passkeys come in unique pairs, users cannot re-use passwords, another user mistake that leads to compromised passwords.
3. Keyloggers cannot capture passwords since users are not typing passwords.

Your IT team might choose to eliminate your existing Multi-Factor authentication process since using passkeys involves multiple factors already. Unlike SMS text messages, passkeys cannot be redirected to attackers. Passkeys are immune to MFA Fatigue addressed here https://fosterinstitute.com/mfa-fatigue-the-hidden-danger-and-how-to-combat-it/

Please forward this to your friends so they can explore eliminating passwords and eventually start adopting passkeys as Passkey support expands.

Prepare yourself for what would happen if an attacker steals a phone containing passkeys: https://fosterinstitute.com/the-risk-iphone-theft-poses-to-your-passkeys-and-what-to-do-now/

Technical Details – If You are Interested

You do not need to know this to use passkeys. But if you wonder how these keys can be so secure, read on.

Passkeys are much more secure because passkeys come in key pairs. When you use one key of the pair to lock something, you must use the paired key to unlock it. Only the paired key can unlock what the first key locked.

So for each site or application you set up to use a passkey, your mobile device generates a pair of keys:
– A unique private key for that site or application is stored on your device.
– A paired key that your device sends to the site or application which stores the key just for you.

If you have a passkey set up for 100 sites or applications, your device will store 100 keys. Sites that have 100 million users will have 100 million keys. Each key is half of a pair. The private key must be kept secret on your device to be secure. Even if attackers access all the keys for a site or application, your account is still protected since they won’t have the second key stored solely on your device.

If you want to get more technical and understand why passkeys are so resistant to person-in-the-middle attacks: Websites that start with https:// and most web applications use PKI encryption to protect data during transit. SSL (deprecated) and TLS (use the newest version) protocols use public-private key pairs to initiate a multi-step process to secure traffic to websites or web applications. Attackers can use person-in-the-middle attacks to defeat that encryption. They generate key pairs to make the user’s connection think the attacker is the website and make the website believe the attacker is the user’s connection. Bad actors insert themselves between the user and the website and can access the data as it goes through their connection.

When a user creates a passkey, the user’s device generates a key pair. It stores one key locally on the device and sends the other to the site or application for passkey authentication. The site or web application stores a unique key for each passkey a user generates. The secret key never leaves the user’s device during the authentication process, and the unique paired key is stored at the website or application. Hence, passkeys are extremely resistant to person-in-the-middle attacks.

Where supported, consider using passkeys. Hopefully they’ll be the common standard soon.

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/