We talk a lot about account security and passwords: how to avoid getting caught in a phishing scheme, what good password hygiene looks like, why you should use a password manager, and so on.
But this week we’re dropping some new password advice that might surprise you: maybe it’s time to stop using passwords at all!
Or at least, maybe that time will be here sooner than later.
Here’s what you need to know about big changes coming in the cybersecurity space.
Down with the Password?
Google, Microsoft, Apple, and several other tech behemoths have joined forces to kill the password, essentially. And that’s a good thing.
Passwords are notoriously, well, bad. They’re hard to remember, which leads to lots of password reuse and people using the simplest possible passwords…which makes those passwords really easy to steal, crack, or hack.
Phishing schemes and other credential compromise attacks cost businesses trillions each year. And while those losses aren’t exactly big tech’s fault, all the big tech players have good reasons for wanting to improve the system.
We’ve seen several improvements already, like two-factor and multifactor authentication (which you should definitely use wherever possible for as long as you’re still using passwords!). But the core system, where everyone is supposed to memorize unique passwords for a hundred-plus different sites and accounts, is just plain broken.
The solution these tech firms have agreed on is something called a passkey. And Google’s just made a big change, flipping the switch so that passkeys are the default for all personal Google accounts.
What’s a Passkey?
Passkeys are a new way of authenticating users and logging onto a site or service. They are an evolution of multifactor authentication that’s even more secure but also far easier, almost frictionless, to use.
What’s going on under the hood is a little complicated (OK, a lot complicated), but as far as the user’s concerned, the experience is dead simple. Once a passkey is set up, most of the time all a user will need to do is provide biometric information (like a fingerprint or Face ID) using their smartphone. That’s it.
No more complicated passwords that eventually get stolen. Just a secure, super easy way of verifying you’re you.
How Do Passkeys Work?
Passkeys combine several concepts and technologies. They use something called zero-trust architecture, which means services have no trust at all that you are you, unless you prove it.
But they also use something called public key cryptography (that’s the complicated bit) and biometrics to prove that you’re you. Once the passkey is set up on your phone, all you need is that phone (with the encrypted private key) and your biometrics (your face or your fingerprint) to prove that you yourself currently have that phone in your possession.
Because it’s next to impossible for someone to steal your phone and your face (let’s be honest, if they do that, you’ve got bigger problems!), passkeys are incredibly secure. And the bad guys can’t steal or crack either part of the passkey, either: websites and services never “know” your private key, and your biometric data never leaves your smartphone.
Passkeys are also easier for users to actually use: no logins, secondary security codes, authenticator apps, or anything else like that.
It may sound too good to be true, but passkeys really are easier to use, simpler to set up, and simultaneously more secure than anything that came before them.
What’s Now, What’s Next
Google is pushing forward with passkeys, but so far it’s doing so only with personal accounts. It won’t be long before passkeys will come to your Google Workspace accounts too, but we don’t know the exact timing for this yet.
So for now, we recommend that people adopt passkeys for their personal accounts—both because they’re more secure and because getting that experience now will make the business transition far easier when the time comes.
Got questions about how passkeys might affect your business? Feel free to contact us; we’re happy to help.