dailynewsnblog
The UK’s National Cyber Security Centre has called time on the password – from now on, you should use a passkey.
The NCSC said this week it would no longer recommend using passwords where passkeys were available. They should be consumers’ first choice of login across all digital services because passwords were not secure enough to stand up to modern cyber threats.
What is a passkey?
Security officials describe a passkey as a “digital stamp” that allows you to sign in to apps and websites and is stored on your device.
It is a password-free form of login. Unlike a password, it cannot be stolen in a phishing attack, where people are fooled into handing over their credentials, which can later appear on the dark web.
It just requires your smartphone or device to confirm that it is you trying to log in, by using biometric methods such as facial recognition or your phone’s pin. That triggers the “stamp” – or secure passkey – which confirms to the app or website that you are who you say you are. Each account you are registered with will have a different passkey.
Even if an app or website using passkeys is breached, it is of no use to an assailant because the device holds the “private” passkey needed to complete a login.
Passkeys can also be synced across devices.
How do you set up a passkey?
The NCSC says you can go to account security or privacy settings on apps and websites you already use, or look out for prompts from services asking you to upgrade to passkeys. You may also be offered to set one up when creating a new account for an app or website.
Google says just over 50% of users of its services in the UK have a passkey registered.
Why are passkeys good?
They are not passwords, which can be wheedled or conned out of users via phishing emails or can be found on the dark web.
Last year, researchers at Cybernews, an online tech publication, said they had found billions of login credentials. The datasets were in the format of a URL, followed by login details and a password. Experts were sceptical about the report, saying the data was probably already in circulation online and many of the details could be duplicates. Nonetheless, they said it emphasised the need to update passwords regularly and adopt tough security measures such as two-factor authentication, where users are asked to give another form of verification along with their password.
“Passwords have never been a perfect solution from a user perspective because we need to keep adding things to try and make them more secure,” said Dave Chismon, a senior tech expert at the NCSC. “And yet, they are still phishable and the extra security involved makes users’ lives harder.
“Whilst the technology is complex, for a user passkeys are quicker and simpler than remembering a password or going through two-factor authentication.”
Is facial recognition vulnerable?
Bypassing biometric checks on a device is difficult. Alan Woodward, a professor of cybersecurity at Surrey University, says facial recognition has improved significantly.
“It’s not just the recognition algorithms that have become better but devices now include ‘proof of liveness’ to stop images being used. As with all cybersecurity it’s a game of whack-a-mole. Hackers’ ploys improve and the countermeasures also improve,” he says.
There could be an issue with, for instance, a family member or partner knowing your phone pin. Experts say an obvious defence against this is keeping your pin private – even from family members.
What other precautions should people follow?
A major threat to people’s personal cybersecurity is their own behaviour. “Most attacks against individuals still happen because of a lack of basic cyber-hygiene – getting the fundamentals right really does work,” said Chismon.
Some basic recommendations are to get passkeys or, if you are using passwords, to use two-factor authentication. Another is to always use strong passwords, especially a strong and separate one for your email account. And use a password manager, which creates and stores passwords securely.
You should update apps and operating software on your devices regularly. Phishing attacks, where assailants attempt to access your login details or trick you into downloading malicious software, can be avoided by looking out for (and not clicking on) dodgy-looking emails, links and attachments.
The most common passwords in the world look like a godsend for hackers. According to Nordpass, a password manager app that stores passwords securely, the most used password – based on an analysis of public data breaches and dark web data stockpiles – is “123456”. Others in the top 10 are “admin”, “password” and “admin123”. If those are your passwords, then passkeys are definitely for you.
