Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Google announced on October 12, 2022, his support for Passkeys on Android and Chrome.
This is the next-generation login standard and aims to create a safer cyber environment by replacing traditional passwords with unique digital keys that are saved on your device.
Passkeys were created by FIDO Alliance and supported also by Apple and Microsoft in a common effort for a passwordless sign-in standard.
How Passkeys Work
“Passkeys follow already familiar UX patterns, and build on the existing experience of password autofill. For end-users, using one is similar to using a saved password today, where they simply confirm with their existing device screen lock such as their fingerprint”, Google explained.
To create a passkey the user will use a two-step procedure: confirming the account that he chooses to log in with to the online service, and introducing the biometric information or the code for the device. The same procedure goes for signing into a website: selecting an account and presenting a method of authentication.
Passkey is powered by the public-key cryptography principle that functions with a private key stored locally, on the user’s device, and a public key shared by the online service.
“During a login process, a platform that supports passkeys uses the public key to verify a signature from the private key to confirm the authenticity of the user. The passkey private key generated per user account for an online service is also encrypted at rest on the user’s devices with a hardware-protected encryption key”, according to The Hacker News.
Why Are Passkeys Safer
Passkeys are independent of the operating system and browser. For example, an Android user can use Safari on iOS or macOS, or the Chrome browser on Windows, to log in to a passkey-enabled website.
To avert lockouts, the passkeys generated are stored safely on the cloud via Password Manager, while developers can unable passkeys to their websites using WebAuthn API.
Passkeys are a significantly safer replacement for passwords and other phishable authentication factors. They cannot be reused, don’t leak in server breaches, and protect users from phishing attacks. Passkeys are built on industry standards and work across different operating systems and browser ecosystems, and can be used for both websites and apps.
This type of login protects users in case of a malicious attack, like phishing attacks, by encrypting the private key, with decryption available only for the end-user, being one-use only, and immune to data leak.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.
