3 hours ago
6
I’ve been struggling to get my head around the idea that a passkey, which can be a pin on your phone, or facial recognition, can be safer than using a complicated password and two-factor authentication.
I get that having something unique to your device, not stored on a company’s server, is unphishable and less hackable by cybercrims, but what if your phone is nicked and someone guesses the password? And what if you lose your phone?
Sorry if that sounds simplistic, but I am genuinely stumped to understand why the UK’s National Cyber Security Centre and others who know about these things are so sold on passkeys. Can anyone who’s used them enlighten me? Martin Avis, Chester
Send new questions to [email protected].
Readers reply
The question is legit and deserves a proper answer. First, passkeys are safer than passwords simply because login using a password is vulnerable to a hacker anywhere in the entire world, while a physical passkey is vulnerable only to a hacker who can steal your phone (as the crypto used by a passkey is out of reach of hacking by anyone but state actors – and they don’t need to hack your bank account). Second, when someone steals your phone, you tend to notice very quickly and can cancel (revoke) your passkey on your accounts; if your password login is hacked, you may not notice for a long time. No security system is perfect, but passkeys are still a good step up compared to a password. wyldfam
Passkeys are good, strong protection – much better than passwords. Create a 10-digit pin on your phone from random numbers and remember it so it’s second nature. On an iPhone, turn on “Stolen Device Protection”. [On Android, it’s Identity Check.] And if you’re really serious about security, enable iOS’s “Lockdown Mode” [or Android’s “Advanced Protection Mode”]. That’s my opinion. TechGirl
Passwords are built on an inherent weakness known as a “shared secret”. That is, your password must be “shared” between you and the website you’re accessing. This is so your password can be sent to the website and verified when you login. The problem with this is that if a server is hacked and your data is stolen, your password can be lifted from the hacked data and reused by the hacker without your knowledge.
Passkeys don’t have this weakness. A passkey is (very simply) a really complex value that’s used as a start for a mathematical calculation, the result of which is sent to the website. This mathematical result is then verified to have come from only your passkey using a totally different complex value. The beauty is that your passkey is never sent to the website (only the result is), so if the website is hacked, your passkey can’t be stolen and can’t be reused. Passkeys are stored in your phone, laptop or password manager and unlocked using a simple pin or biometrics, so they’re super easy to use, while still maintaining that highly secure underlying technology. There are more benefits to using passkeys, though being easy to use and “unphishable” are the most obvious ones. If given the choice, pick passkey every time. gh05ted
I really can’t understand these answers. I tend not to use things I don’t understand. My passwords are partly written on a piece of paper. The accounts they refer to are on a separate piece in a different place written in a way only I could make much sense of. I do use two-factor authentication where required or available. I don’t use a password manager. Good luck if you can hack that. I’m very suspicious of all this. I suspect it is software companies trying to self stuff we don’t need and making things more complicated than they need to be. dannytheclown
The whole subject seems very confusing. My initial understanding of passkeys, after Microsoft suggested their use on my PC, was that they were simply supposed to be a convenience, because they were easier to enter then passwords. Recent publicity now indicates that they should be more secure because they are tied to hardware and cannot be used remotely by hackers. On the other hand, you may be able to sync them between devices, which seems to introduce possible vulnerabilities.
Between fingerprints, pins, passwords, passkeys, password managers, two-factor authentication via apps or text messages – not to mention Google, Apple or Windows offering to save and enter your passwords (and passkeys?) automatically – getting security right is a minefield for Joe (or Joanna) Bloggs. Getting access to your system again if it crashes and you have forgotten key passwords after years of letting it log on itself is also a severe risk. GordonLiv
I’ve resisted using a passkey because it is tied to a single device. What happens if I want to access my bank account and I’m away from my desktop? Then I need to have passkeys on my laptop and maybe on my phone as well. In the latter case, my security only becomes as secure as my phone (which can easily end up in the hands of others). What happens if I have lost access to all of my devices and need to get money urgently? So I am continuing to use a password. Every high-value site has its own very different password, which is not stored in a password manager, but in my memory. And on a bit of paper, which I can take with me when travelling – but that has the information in an incomplete, coded form, so would be useless to anyone else. It’s not as strong as a passkey tied to a single device – but it’s unlikely to leave me stranded. Jiminoz
Ugh. I think back to my childhood and younger adult life when your “password” was your signature. We didn’t ask for this complicated world – we were told life would be so much easier when we logged on to do this or that. We had no choice in any of it and now look where we are. The burden for protecting ourselves from the life we didn’t ask for falls directly on to us. And of course, it’s our fault when we get hacked. To that end, I’ll stick with my password manager. ElleWoods
Since September 2024, the US National Institute of Standards and Technology has stopped recommending “enforcing arbitrary password complexity requirements such as mixing uppercase and lowercase letters, numbers and special characters. Instead, the focus has shifted to password length as the primary factor in password strength”. The web comic XKCD explains why passphrases are better than passwords. mu5epen7ra
When I die, how do I ensure that my executor can access my passkey to control my accounts? BarnerCobblewood
In reply: Use a password manager and store the “root of trust” on a physical piece of paper and store it in a safe place. Storing a “root of trust” for your password manager means storing sufficient information to regain access to your password manager account, even if you lose all your devices. Typically, it includes long and random recovery codes. For example, 1Password generates an “emergency kit” as part of the initial setup. This is a pdf you physically print out for exactly this purpose. A relative or executor can use the emergency kit to re-establish access to your password manager and all its data. jmsgwd
I was going to tell you all how I use passwords, but now that I’ve read all the comments I’m scared to reveal anything. Goldgreen
