Passwords are no longer secure: New warning from Google and Microsoft

In the age of artificial intelligence, traditional passwords can no longer be relied upon to protect the security and confidentiality of your data and online accounts.

Google and Microsoft have warned that, Phishing experts have created pages that look almost identical to the original login pages, making it easier for them to steal passwords. Numerous data leaks have exacerbated this crisis. Therefore, cybersecurity experts recommend using what is known as a passkey, as it is considered more secure.

Let’s learn together what a passkey is, how to create one, and why it is more secure than traditional passwords.

What are passkeys?

Passkeys are the new recommended way to log in to websites and apps. They are designed to be easier and more secure than traditional passwords. Instead of having to remember complex passwords or use a password manager, they let you log in using your device’s unlock method, such as a fingerprint, facial recognition, or a personal identification number (PIN).

How do passkeys work?

Passkeys rely on public key cryptography, the same technology used by internet networks to secure their communications. When you create a passkey for an account, a pair of keys is generated:

Public key: Securely stored on the website or app’s server.
Private key: Securely stored on your phone or computer.

When you try to log in, the website or app asks you to confirm ownership of the private key. This is done by creating a “signature” on your device using its private key, which the website can then verify using its stored public key. The private key itself is never sent over the internet, making it more secure than passwords.

Why are passkeys better than passwords?

Phishing-resistant:

Hackers can’t steal passkeys as easily as passwords, even if they trick you into visiting a fake website.

Breach-resistant:

Even if a website’s database is breached, hackers can’t access your passkey because it’s stored on your device, not on a server.

No chance of guessing your passkey:

Hackers can’t guess your passkey like they can with weak passwords.

Easy to use because you don’t need to remember it:

No need to remember or reset complex passwords.

Faster login:

You can log in simply by using your fingerprint or face.

Sync across devices: Passkeys can be synced across your different devices if you use the same Apple ID or Google Account, for example, allowing you to access them from any trusted device.

Better user experience: Reduces the frustration of forgetting passwords and increases security without additional complexity.

Cloud sync:

Your private keys will be securely and encryptedly stored in your operating system provider’s cloud services, such as iCloud Keychain or Google Password Manager. This means that when you log in to your account from a new device, your passwords will be automatically available after your identity is verified.

Are passkeys available now?

Many major companies have begun adopting passkeys, including Google, Apple, Microsoft, PayPal, and Shopify. Their popularity is expected to increase significantly in the near future.

Passkeys represent a paradigm shift in digital security, making our digital lives more secure and easier.

What does “Passwordless” mean?

This term encompasses a group of authentication systems and methods that allow users to access accounts and systems without having to enter traditional passwords. It aims to eliminate the vulnerabilities and hassles associated with passwords, such as:

Weak passwords: making them easy for attackers to crack or guess.
Reuse: When the same password is used across multiple sites, a compromised account can lead to another.
Phishing: tricking users into giving up their passwords.
Forgetting problems: the frequent need to reset passwords.

How does passwordless authentication work?

Passwordless authentication relies on alternative methods of identity verification, such as:

Biometrics: such as fingerprints, facial recognition, and iris scanning.
Passkeys: As explained earlier, this is an advanced and secure form of passwordless authentication.
Security tokens: small physical devices that generate one-time codes.
Multi-factor authentication (MFA) using apps or SMS messages: where a code is sent to a trusted device.
Magic Links: Sending a unique link to an email or phone number, which the user clicks to log in.

Why is it important?

Passwordless authentication is the next step in enhancing online security and usability, as it significantly reduces the risk of hacking and improves the user experience.4

Google Security

Google is a leader in passwordless authentication, supporting and encouraging the use of passkeys across all Google Account platforms, including Chrome and Android. Given the massive volume of Google data, including email, search, maps, documents, and more, it prioritizes its security features, including:

Data encryption in transit and at rest, highly secure data centers, and hack-resistant networks.
Product design with security in mind (security by design) and regular security updates.
Strong authentication through support for two-factor authentication (2FA) and multi-factor authentication (MFA), and the use of passkeys as an alternative to passwords.
A security checkup tool is used to review user security settings and provide recommendations for improvement.
Phishing and malware protection through advanced filters in Gmail and warnings in Google Chrome when visiting risky websites.
Users are immediately notified when suspicious activity is detected on their accounts.
Users are provided with dashboards to control their data, privacy, and security settings.
Furthermore, Google invests heavily in researching security vulnerabilities and discovering new threats.

The Microsoft Authenticator app

The Microsoft Authenticator app is a free smartphone app for iOS and Android. It provides an additional layer of security for user accounts, particularly Microsoft accounts such as Outlook, OneDrive, and Azure. It also supports other accounts such as Google, Facebook, and Dropbox. Its primary functions include:

Generating one-time passcodes (OTPs), which serve as a secondary verification factor after entering a password.
Instead of entering a code, the user receives a push notification on their phone to approve the login.
The app allows users to log in to their Microsoft accounts without entering a password by simply accepting the notification after entering their username.
It can also store and populate passwords for websites and apps.

The app is a platform for storing and managing passcodes generated by users across their devices connected to Microsoft accounts.