More security without passwords
Das Wichtigste in Kürze
- Passkeys replace passwords with login via smartphone or FIDO key. This makes phishing effectively impossible
- Until all web services support passkeys, strong passwords plus two-factor authentication remain mandatory
Passwords are vulnerable because they are often too short, too simple or used on too many services at the same time. Once cracked, a land of plenty opens up for hackers. With passkeys, things are different.
Developed by a broad industry alliance
With a piece of personal hardware such as a smartphone or a FIDO key (e.g. a USB stick), the IT service is secured. Once registered, it is unlocked by fingerprint or facial recognition. The prerequisite is an activated display lock and, for use on a PC, activated Bluetooth. In addition, two-factor authentication must be switched on.
Passkeys were developed by the FIDO Alliance, to which the major companies of the IT industry belong, including Google and Apple. The passwordless security technology is based on the «WebAuthentication» standard. Passkeys are open and vendor-independent.
What happens in the background
Asymmetric encryption is used. The secret, a long, randomly generated character string, is stored on the device on first use and never shared. When logging into a web service, the physical device proves the existence of the secret using mathematical methods, without revealing it. Users are prompted by the website to unlock the device (using a fingerprint or face scan), after which the login to the IT service takes place.
Users no longer have to create and manage passwords. In addition, phishing attacks are no longer possible, which in most cases are the starting point for break-ins into the company network: the secret key is never disclosed, not even when an employee wants to log in on a fake website.
Transition period for passwords
Passkeys are now available in many operating systems and browsers, and many websites support the procedure, but by no means all. That is why passwords with two-factor authentication will continue to play an important role for some time, and the basic rules of a secure password are not suspended:
- The longest possible password, consisting of special characters, numbers, upper- and lower-case letters. Tip: form a long memorable sentence and take the first character of each word to form the password.
- A unique password for each web service. Use a password manager (in the browser, in the operating system or an external password manager).
The Baggenstos experts are happy to show you how to make your organisation immune to phishing and make digital life easier for your employees. Contact us and introduce passkeys into your IT and web services together with us.
