Microsoft joins Apple and Google in rolling out password support for consumer accounts for password-less logins
Microsoft has introduced support for keys for consumer accounts. Passcodes are a passwordless login method designed to prevent account takeover by reducing or eliminating the use of passwords. Instead of passwords, facial recognition, fingerprint scanning or PIN codes are used to log into accounts.
Modern methods of protection online accounts
Passwords for online accounts often require a nasty combination of lowercase and uppercase letters, numbers and symbols that are easy to forget and tedious to type, but which can be stolen by hackers through phishing, malware and other methods.
One way to improve account security is to require text PINs along with passwords. While this is more secure than just a password, hackers can still intercept the code through illegal SIM cloning https://theintercept.com/2020/09/25/surveillance-sim-cloning-protests-protect-phone/, SIM replacement -cards, mobile phone hacking and wiretapping of cellular networks during attacks on personalities such as the president. However, most PIN-protected accounts are still better protected.
Another way to improve account security is to use two-factor (2FA) devices and software (such as those from Amazon) that generate a unique code that you must enter along with your password. While 2FA software is vulnerable to malware and cloning, 2FA hardware is difficult to copy, making it popular for protecting accounts. However, hackers have also found ways to bypass 2FA security.
Access keys
The problem of forgotten passwords exists in previous methods, which is why large companies such as Apple, Google and Microsoft are promoting passwords as an alternative to 2FA hardware. For most users, logging in with a password is usually confirmed by facial recognition, fingerprint scanning, or entering a PIN on the person’s smartphone. Microsoft claims that all biometric data remains on the user’s device and is never sent to the user.
One of the benefits of a password system is that a unique cryptographic key pair is created for each online account. Login for one account will not work for another. Readers who want to try out the new world of passwordless login can read about setting up passwords for consumer accounts at Microsoft, Apple, and Google.
Readers who don’t want to use passkeys can still use PIN codes or hardware 2FA devices like this one from Amazon (be sure to purchase an additional backup).
Problems Access key potential
Access keys create potential problems and vulnerabilities. The first is the lack of two different login credentials: only a phone or a 2FA device is required, so stolen devices have full login capability to all accounts. Kids know how to look over your shoulder to steal your PIN, and hackers have hacked Microsoft’s facial recognition system https://www.cyberark.com/resources/threat-research-blog/bypassing-windows-hello-without-masks- or -Plastic surgery and pre-screening of fingerprints. Additionally, many password-protected accounts remain vulnerable because passwords are used as a recovery method. More importantly, if your biometrics, such as your fingerprint, are cloned, you won’t be able to change them until you have surgery, so hackers can impersonate you while you’re still using the same fingerprint. for authentication.
Losing access to key databases is also a serious problem. If passwords are completely deleted, losing a password database without a secure account recovery method can instantly lock users out of their accounts forever, as many Bitcoin holders have experienced after losing their smartphones. The problem remains so serious that even the author of webauthn-rs remains unconvinced, as do many users who have reported that their passwords were mistakenly destroyed by Apple and other companies. Additionally, the NSA knows that modern non-quantum cryptography is at risk, so smart users should be wary of cloud-based access key backups.
Secure Password and Account Strategies
Password managers like 1password and LastPass have been hacked multiple times, so even allowing web browsers to remember your secrets may be a bad idea, since a successful hack could put all accounts at risk. Instead, use a password strategy that you can easily remember. For example, your favorite long phrase + “initial letter of the site name” + number + “symbol”.
Another good strategy is to isolate and separate. For example, use one email account just for finances and another for regular correspondence, with different passwords. Laptops are cheap enough (like this one on Amazon) that you can buy them purely for financial reasons.
Since SIM swapping poses a threat to all users who secure accounts with their phones, read how to protect your SIM card for T-Mobile, Verizon, or AT&T users.