The question isn’t if your passwords will get stolen, but when.
Over 24 billion usernames and passwords were available on the dark web last year, a 65% increase since 2020, according to research from Digital Shadows, a digital risk protection company. Using strategies like brute force attacks and keylogger malware, hackers are able to harvest private login information at scale, often without users even realizing it.
Password managers offer a way to mitigate these risks in that they allow users to create a separate password for each login. But the passwords themselves can still leave you vulnerable to bad actors and scams. Phishing has become increasingly sophisticated, with hackers creating fake password manager login pages that look exactly like the real thing. Reported phishing attacks are up 250% since 2019, according to a recent FBI internet crime report.
As such, the cybersecurity industry is working to adopt solutions that would remove the need for passwords altogether. The latest technology uses what is known as a passkey, and leading password manager providers like Dashlane offer in-app passkey functionality to make your digital life safer and more secure. Dashlane is on CNET’s shortlist of the best password managers.
Both Apple iOS and Google Android will offer third-party passkey integration in their next software updates later this year. Here’s what to know about passkeys, along with how to start incorporating them into your digital life.
What are passkeys, and how do they work?
A passkey is a pair of cryptographic keys that are produced by an authenticator. Examples of an authenticator include a smartphone or your preferred password manager software. For an authenticator to be legitimate, it requires a form of user verification, such as a master password or a biometric sensor. Examples of biometric verification include face and fingerprint scanning technologies.
One cryptographic key is public, while the other is private. When you log in with a passkey, your authenticator will generate a public key for that server. The server will also send a challenge to your authenticator’s private key, which your authenticator will solve and send back to the server.
Think of this as the server asking your private key to do a math problem that only your private key could solve. Your private key solves the problem and marks it with a signature. Then, the signature is corroborated by your public key to prove the login really came from you.
Still with us? Here’s what matters: The website you signed into never needs to know your private key to confirm the login attempt came from you. This gives passkey technology a leg up on passwords, which lose their inherent security when shared or stolen.
Additionally, since the two-factor authentication requirement is satisfied entirely within the passkey experience, you won’t need to worry about one-time passcodes or six-digit SMS codes when using them.
Passkeys are the future, and they’re the result of over ten years of effort from cyber industry leaders and organizations like the Fast Identity Online (FIDO) Alliance.
Why use a password manager for your passkeys?
Although some operating systems like iOS and Android have begun implementing passkey technology, it’s important to remember that these passkeys will only work in their respective ecosystems.
If you use different operating systems—for example, Windows on your work computer and macOS on your personal tech—the better option might be to use your password manager as your passkey provider instead.
Leading password manager technologies like Dashlane allow you to take your passkey records with you from system to system without having to re-authenticate all your logins. By taking the time to learn about and implement passkey technology, you’ll ensure your most valuable online assets remain safe and secure in an ever-changing digital world.