Why It’s Time to Ditch Passwords and Switch to Passkeys
Last updated October 24, 2024
The best passwords, even “long and strong” ones, are no match for today’s international crime rings. Passwords are easily stolen during phishing attacks or compromised in data breaches and sold on the dark web. Microsoft detects more than 4,000 password attacks every second.
Listen to audio highlights of the story below:
To fight back, big tech companies created passkeys, a more secure way to log in by using computer code called “cryptographic key pairs.”
Unlike passwords, with passkeys there’s no string of letters, numbers, and symbols to remember, nothing to lose or inadvertently share, nothing for the bad guys to steal, and no way to impersonate your authentication. Instead, when using a passkey to access a website or app, sign-in verification takes place on your device after you approve it using a PIN, fingerprint, or facial recognition (the same way you’d unlock the device).
“We believe that this is a fundamental shift, and it’s a shift forward,” said James Lee, COO at the non-profit Identity Theft Resource Center. “Passkey technology, when fully implemented, will absolutely eliminate an entire class of identity crime.”
How Passkeys Work
When you initially sign up to use a passkey, a unique encrypted digital key (private key) is created on your device that’s associated with a public key that identifies the app or website where the registration is taking place.
The passkey on your device is bound to that company’s website, meaning the passkey won’t work if used to log on to a fake Chase Bank or T-Mobile website or app during a phishing attack; the fake company’s servers never get the private key, so criminals can’t intercept it.
The user experience is simple, but the security, which takes place behind the scenes, is enhanced.
“It’s the same security government workers use in their badges, the same security as the chip in a chip card, and you cannot steal and reuse it,” said Megan Shamas, chief marketing officer for the FIDO (Fast Identity Online) Alliance, the global consortium working to promote passkey technology.
Because the confirmation “handshake” between your device and the website or app is two-way authentication, it also eliminates account takeovers due to stolen passwords, the biggest security problem on the web.
This FIDO graphic shows the process:
Each time you log in using a passkey, the website or app verifies that it’s your device, and your device verifies that the site is authentic (not a copycat site created by cybercriminals).
“When you go to a spoofed site, your device will say, ‘nope, this is not the right site,’ and won’t share your credentials,” Shamas explained. “It really takes the burden off of the user to have to figure out whether they’re on a legitimate website or not, which is a huge problem for passwords today.”
This double handshake renders malicious phishing email (see below) and smishing (phishing text messages) harmless because even if you take the bait and click on the link, your device will not authenticate the bogus web address, and the login will fail.
Apple, Google, Meta, and Microsoft already support this technology. Microsoft told Checkbook it hopes to have one billion people using passkey technology in the next 12 months.
“Passkeys defeat all of the common attacks that we see today, including phishing and advanced phishing and social engineering,” said Alex Weinert, Microsoft’s vice president for security. “Password guessing, password replay, all of those attacks come off the table as people transition to using passkeys.”
Passwords Have Outlived Their Usefulness
“A password is just a secret between me and my computer that I have to share to prove my identity,” said Chester Wisniewski, director and global field chief technology officer at Sophos, a British cybersecurity company. “And we know humans are pretty terrible at keeping secrets. We’re also terrible at keeping passwords.”
Cybercriminals have gotten quite good at tricking people into providing passwords by using bogus email and text messages or phone calls that purport urgency. Artificial Intelligence (AI) is making it harder to distinguish real messages from malicious ones. (The old advice to look at for typos, misspellings, or bad grammar in an email doesn’t work for AI-generated content.)
Most people use the same or similar passwords on all of their accounts, including for work. So, if identity thieves get that password, it’s easier for them to access all the victim’s accounts.
The login code generated by the passkey is unique every time—and encrypted—so it’s useless to a criminal.
“It’s really an advanced version of multi-factor authentication,” Wisniewski told Checkbook. “Even if your computer has malware on it or somebody is spying on you in some way, anything they steal doesn’t allow them to impersonate you.”
Passkey Rollouts Are Already Underway
Passkey technology was unveiled in the summer of 2022. The public rollout started earlier this year, when it became possible for passkeys to sync across all platforms.
New technology is always confusing and frustrating at first, and passkeys are no exception, as I discovered when I tried to create them for several of my accounts.
Each business decides how the technology will be implemented, so what you see may differ from company to company. Some don’t use the term “passkey.” Some make you navigate to “settings” and then “security” to create the passkey. And because the technology is optimized for mobile devices, the user experience will be different on a computer.
That said, once passkeys are enabled, the sign-in process should be faster than using passwords. Google data from March to April 2023 show that the sign-in authentication is faster: 14.9 seconds with passkeys vs. 30.4 seconds with passwords. The success rate for passkey logins is also four times higher than passwords: about 14 percent for passwords vs. 64 percent for passkeys.
The FIDO Alliance estimates that one billion people globally have downloaded at least one passkey. Nearly 150 companies are listed on FIDO’s website as having implemented passkey authentication, including Amazon, Best Buy, Citi, CVS/Caremark, eBay, Facebook, Instacart, LinkedIn, PayPal, T-Mobile, TikTok, Uber, Verizon, Yahoo!, and YouTube.
Are Passkey’s Portable?
Yes, they work on all platforms, just like passwords. FIDO recommends using a password manager or authenticator app (such as Google and Microsoft Authenticator, Authy, and Duo Mobile) to store your passkeys so they can be used on all your devices.
You can use the password manager built into your browser or operating system or download one from a third-party provider, such as 1Password, Dashlane, or NordPass.
By having your passkeys stored in the cloud, you can sync them to other devices if you lose your smartphone or laptop.
Will Passkeys Share My Biometric Data?
No, your biometric data stays in your devices, according to FIDO. It’s similar to how you use a fingerprint or facial recognition to unlock your phone.
If you use a password or credential manager (i.e., iCloud Passwords or 1Password), your encrypted passkey data will be stored in the cloud so it can be used across platforms; similar to what’s commonly done with passwords. But unlike passwords, your online services do not store any passkey data that is useful to hackers in a breach.
Should You Switch to Passkeys?
Cybersecurity experts encourage enabling passkeys when offered, especially for your email, financial, and social media accounts, which can result in the most harm if a hacker accesses them.
You can test drive the technology by creating a demo account at passkeys.io.
Passwords Aren’t Going Away for Now
It will take time for passkey technology adoption to take hold. Some sites and apps will never offer it. Some users will resist it. As long as you use passwords, you need to keep your guard up:
- Your passwords should be strong and hard to guess (don’t use “password123” or “letmein321”). All the major browsers have built-in password managers that will generate a strong and unique password for each account and remember it for you.
- Don’t reuse the same password on multiple sites, even for sites where you don’t feel privacy is an issue. If a criminal snags that password, they can use it on all of your accounts.
- Use multi-factor authentication (MFA) when available. This extra layer of security—a code provided by email, text, or phone call—isn’t foolproof, but it can thwart most phishing attacks. MFA reduces the risk of having your data compromised by 99.2 percent, according to the latest data from Microsoft. But the company told us criminals are already creating new attacks that target MFA.
The Bottom Line
It’s a dangerous misconception to think cybercriminals would never come after you. If you have a bank or credit card account, or access your medical records, Social Security, or Medicare account online, you are a potential target. Protecting yourself from identity theft can prevent days, weeks, or months of cleaning up the mess caused by the fraudsters. If you’re not ready to switch to passkeys, at least use a password authenticator or sign up for Multi-Factor Authentication (when available) for your online accounts.
More Info:
Contributing editor Herb Weisbaum (“The ConsumerMan”) is an Emmy award-winning broadcaster and one of America's top consumer experts. He has been protecting consumers for more than 40 years, having covered the consumer beat for CBS News, The Today Show, and NBCNews.com. You can also find him on Facebook, Twitter, and at ConsumerMan.com.