Some prominent IT industry leaders are pushing to expedite the transition away from device passwords, replacing them by using cell phones as “passkeys.” The plan is to begin by taking advantage of alternative authentication technologies including biometrics that are already built into newer mobile devices and computers.
How will mobile device passkeys work?
You likely have your phone with you or within reach throughout your day. That device most probably has built-in biometric identification functionality including facial and/or touch ID. Home computers now come with capabilities like the Windows Hello feature that allows users to log in with a fingerprint or facial recognition rather than a password. The goal is to leverage these and other capabilities, combined with public key cryptography for increased security, to both eliminate the need for passwords and offer secure cross-platform authentication. With this authentication process you could, for example, use your phone to securely log into your Mac or your PC without typing in a PIN or password.
In a May 2022 interview posted to Microsoft’s security blog, senior company product manager Libby Brown said industry leaders at Microsoft, Google, and Apple are working together to make this transition happen as soon as possible. According to Brown, the move away from passwords could be completed within only a few years, allowing over six billion devices world-wide to utilize a system of standardized password-less login functionality across multiple platforms.
How could this impact cybercrime?
The goal of many social engineering and other cyber attack variants is to steal login credentials. If a hacker obtained the login credentials for your PC and was able to access the data stored thereon, what might he find? Could he find a list of passwords you use for other accounts (bad idea), perhaps even online banking? Might he have access to very sensitive information such as your tax return with all of your personal data including your Social Security number? Perhaps he might come across some medical data or embarrassing information you wouldn’t want exposed.
Moving to a password-less device login process would mean that there would be no device login credentials for a cybercriminal to steal. Unless the attacker had access to your phone and your computer and you were there to provide the biometric input needed to log in, any attempt made by a threat actor to access your data would be unsuccessful.
This technology offers both personal and commercial benefits
Not only will individuals enjoy the elevated device security and password-less login functionality offered by this technology, but businesses will benefit as well. With no credentials to steal, the number of cyber attacks targeting organizations could decrease significantly. This would include social engineering attacks designed to trick employees into providing login information that will no longer exist. Additionally, if the technology is deployed properly, criminals would likely find it much more difficult to perpetrate costly and destructive attacks including the deployment of ransomware.
Hopefully, cross-platform password-less device login will become widely available in the near future. In the meantime, be sure you’re using unique complex passwords for each of your devices and accounts to make it more difficult for the criminals to succeed. Once this new option for device login does become available, be sure to take advantage of it. Not only will you no longer need to create and remember those passwords, but your devices and your data will be more secure as a result.