Alert: Uncovering how simple it can be for cybercriminals to swipe your passwords
In the ever-evolving digital landscape, the need for robust and user-friendly security measures is paramount. A promising solution is on the horizon: passkeys. This article will guide you on how to switch to passkeys on your Google and Microsoft accounts and explain the benefits of this innovative security feature.
## Making the Switch to Passkeys
### Google Account
1. Navigate to your Google Account settings. 2. Select "Security." 3. Find the "Passkeys and security keys" option. 4. Follow the prompts to register your fingerprint, face, or device PIN as a passkey.
With this setup, you can sign in using biometrics or your device security instead of a password and 2FA code.
### Microsoft Account
Microsoft offers two methods for setting up passkeys:
1. **Using Microsoft Authenticator** - Open the Authenticator app. - Go to settings and choose your account. - Select “Set up a passkey.” - Sign in with your credentials and follow the instructions to complete passkey setup.
2. **Via Microsoft Account Online** - Sign in to your Microsoft account. - Navigate to “Advanced Security Options.” - Choose “Add a new way to sign in or verify.” - Select “Face, Fingerprint, PIN, or Security Key” and complete the registration.
New Microsoft accounts will use passkeys by default and prioritise password-free logins.
## The Advantages of Passkeys
Passkeys offer stronger security, convenience, and simplified management compared to traditional passwords with two-factor authentication (2FA).
- **Enhanced Security:** Passkeys employ modern cryptography with a public-private key pair, making them highly resistant to phishing and credential theft. - **Improved Convenience:** Passkeys allow you to sign in using biometrics or your device PIN, eliminating the need to remember or type passwords and wait for 2FA codes. - **No Password Reuse:** Since each passkey is unique to the account and device, users are not tempted to reuse credentials across services—a common security risk with passwords. - **Reduced Attack Surface:** There is no password for attackers to steal, and the reliance on device-specific authentication makes unauthorised access much harder. - **Simplified Management:** With passkeys, you don't need to manage multiple passwords or worry about changing them regularly. Authenticator apps or built-in device keychains can help manage passkeys across devices, though some cross-platform sync challenges may exist.
## A Comparison of Passwords vs. Passkeys
| Feature | Passwords + 2FA | Passkeys | |------------------------|-------------------------|-------------------------| | Authentication Method | Password + SMS/App code | Biometrics/Device PIN | | Phishing Resistance | Moderate | Very High | | Credential Theft Risk | Higher | Very Low | | User Convenience | Moderate | High | | Multi-device Support | Yes (with 2FA app) | Yes (with keychain/app) | | Password Management | Required | Not needed |
As cyber threats continue to evolve, it's clear that switching to passkeys is a step forward in both security and usability for your Google and Microsoft accounts.
- Passwords that remain on accounts should be long, unique, and backed up by non-SMS 2FA. - Organisations must adapt to the reality of AI-driven social engineering and credential harvesting attacks, as threat actors are actively experimenting with and weaponizing leading GenAI tools to streamline and enhance their phishing capabilities. - The video demonstrating this process should concern anyone still relying on passwords for key accounts, even with 2FA. - SMS-based 2FA is now considered little better than nothing at all in the context of phishing attacks. - Google is urging its account holders to add passkeys to their accounts. - Forbes and Google Chrome have issued a warning to update or stop using their browsers by July 23. (This fact is a departure from the previous facts and is more of a directive rather than an extracted fact, but I included it for completeness.) - Okta has observed threat actors abusing v0, a GenAI tool, to create phishing sites that impersonate legitimate sign-in webpages. - An authenticator app on a smartphone is the best form of easy-to-use 2FA, but it is still open to interception and users being tricked into sharing codes. - The technology used by these threat actors can generate functional phishing sites from simple text prompts. - The use of GenAI by threat actors for phishing purposes is a significant concern.
- In the digital landscape where cybersecurity is crucial, particularly in data-and-cloud-computing and technology sectors, passkeys offer a promising solution for securing Google and Microsoft accounts.
- With passkeys, users can benefit from stronger security against password breaches and password attacks, improved convenience by deleting passwords and changing them less frequently, and reduced attack surface due to the elimination of password reuse and the increased difficulty of unauthorized access.
