And Will Passkeys Permanently Marry You to Apple?
Humans are weak and so are our passwords. We make easily memorizable (read: guessable) passwords that accidentally invite cybercriminals and identity thieves into our homes, offices and bank accounts like a neighbor for afternoon tea. The solution? Remove humans from the tea party.
Enter Apple. At the company’s annual WWDC developer conference, Apple proposed a new form of authentication that may put passwords entirely out of business. But are we truly ready to retire those decades-old, reuse-for-everything-but-the-kitchen-sink passwords?
Many tech giants are making the move away from passwords and towards passkeys. Why? Because our passwords stink. While a password is a series of numbers, letters, and symbols typed in by a user to unlock an account, a passkey is a form of biometric authentication that is stored in the physical device. Instead of typing “123456” into any given account (which happens to be the most common password for many years running, along with, you guessed it, “password”), Apple proposes a finger/face ID that would automatically sign you into your accounts by unlocking your device. Should you lose or break that phone, passkeys are backed up to the iCloud Keychain and synced across devices. Not to mention, the keys will allow us to sign into websites with end-to-end encryption, further deterring hackers from reaching any valuable data.
How Passkeys Are Like Nuclear Launch Codes
Passkeys can be compared to the “two man rule”, which is the extra layer of protection behind the launching of nuclear missiles. This rule basically requires that two (or more) people each have a key that operates only when paired simultaneously with the other key. In order for anyone to push the missile-launching red button, each key holder needs their physical key to unlock it. This creates a buffer between mistakes (no spilled coffees starting nuclear war, phew!), emotional overreaction, and hacking. Cybercriminals are much less likely to hack both ends of the passkey–both the user end on the device and the company end on the website. By removing weak passwords on the user end, and weakly protected databases of passwords on the website end, hacking is less likely to exploit the human element.
The introduction of passkeys to replace passwords has us wondering–what are the unintended consequences of this new and shiny solution? We must remember that hackers are the masters of unintended consequences. While we cannot be sure of these downfalls, we know that the good guy’s solution is the bad guy’s shiny new opportunity. For example, passkeys will unintentionally increase the marketplace for stolen credentialized devices (working smartphones along with their working passcode). This may introduce a greater physical threat of violence as cybercriminals target the parts of the equation held by us consumers.
Another thing to keep in mind is the myriad of ways in which we are in Apple’s pocket by keeping their products in ours. Apple is very intentionally leveraging security to keep us roped into their products. In fact, they have made security and privacy one of their key competitive differentiators.
So is it worth it? Are we willing to be beholden to Apple products for better security? That is for you to decide as we head into a new password-less era. Like with most new technology, it’s often better to pause, observe, and wait for the unintended consequences to pan out. While it would be easy to throw our hands up, smile at the face ID, and get to our Netflix show without touching a keyboard, we have to know what measures are in place to protect our most valuable capital. And we won’t really know that until cybercriminals have a crack at it.
Pros of Apple Passkey
- Efficient and easy to use (no more memorizing guessable passwords!)
- Less fallable than human knowledge/memory
- Social engineering is taken out of the equation
- Security is no longer reliant on that password that you created ten years ago and have copy/pasted since
- Stored on the device and therefore more resistant to data breaches
- End-to-end encryption (that even Apple supposedly can’t view)
Cons of Apple Passkey
- Increases the marketplace for stolen credentialized devices
- Increased dependency on the phone and upon Apple
- Unknown how passkeys would work for non-apple users
Things to keep in mind about all technological advances
- Big promises will always have unintended consequences
- In general, it’s better to wait and see when it comes to new technological advances, especially in organizations, where rolling out a new technology can create massive headaches.
- Biometrics are not the end-all solution even if it is safer. How companies store and protect that data matters too.
John Sileo shares his story of losing everything to cybercrime with keynote audiences around the world. He specializes in the human element of cybersecurity and how technological changes like the death of passwords can derail an entire organization. Contact us at 303.777.3222 to see how John would customize for your event.