Security keys and passkeys offer a safer, more convenient route to online protection: Internet Scambusters #1,075
Security keys - smart plug-in devices that uniquely identify a computer user - could be on the way to replacing cumbersome passwords.
Alternatively, another technology, confusingly labeled "passkeys," could be the way forward to safeguard your online activities and accounts.
In this week's issue, we'll explain how these two solutions work and why they're better than traditional passwords.
Let's get started…
Will Security Keys Spell The End Of Passwords?
Thousands of data breaches and millions of individually hacked accounts and computers remind us of something most of us probably already know - passwords are past their sell-by date.
They're no longer enough to protect us from online scammers and hackers. So, over the past few years, security experts have been coming up with new ideas to protect us from the online baddies.
First, there were password managers helping us to create unique and complex strings of characters that crooks find tough to crack or reuse.
Then there is multi-factor authentication (MFA), which effectively requires a second code, either sent to the user via an SMS text message or generated by an authenticator app on your phone.
Next, we got biometrics - things like fingerprint scanners and facial recognition devices.
We've discussed all of these many times in the past. (Search the Scambusters site for the relevant issues.)
But each of them has weaknesses, We've seen password manager databases hacked, MFA codes intercepted, and facial recognition technology tricked by photographs - though they're all still safer than not using them at all.
What's next?
Two hopeful solutions have shown up on the horizon - USB security keys and passkeys. Let's take a quick look at both. And we promise not to get too technical!
Security Keys
These are usually plug-in USBs that establish a unique relationship with your computer or mobile device. One key can be used on multiple devices but each one has a separate relationship with the key that's established when you set it up.
In simple terms, they check in with each other like all good partners do. If an app or online account doesn't recognize the key or if the key is plugged into an unpaired device, you won't get access.
So, a fraudster would need to have both the device and the security key to cause trouble. Even then, in some cases you might be able to password-protect the key.
Backstage, a lot of technical stuff goes on to encrypt or jumble up the relationship, but you don't need to know about that. Otherwise, setting up is quite easy and straightforward.
Of course, there are downsides, notably the risk of losing the key, which you wouldn't want to keep permanently plugged in for the reason stated above. You'll need a backup solution, available from many providers.
Also, for now, not all devices and online service providers have a security key option. Plus, there are several different types of formats or protocols that work with some devices but not others.
So, before you go down this route, you need to check compatibility - like the right USB connection, the right protocol, and the availability of security key authentication. Most of the big online players like Google, Amazon, and Facebook use them in the same way as multi-factor authentication.
In fact, Facebook has a good page explaining how their security keys work.
Another risk is the possibility of unwary consumers buying doctored security keys from unreliable sources, which then transmit data to scammers.
Bottom line: Used properly, security keys lock out the crooks, even if they know your sign-on details and other authentication codes. Lookalike phishing sites won't work either. It's likely the way forward but you need to spend a little time getting to understand and use them. And always buy from a trusted, reliable source.
Passkeys
Microsoft is betting on this technology as a security solution to replace regular passwords without needing hardware like security keys. Yet, it's still a password of sorts.
Sometimes known as a passphrase, a passkey usually uses a much longer string of easy-to-remember words than conventional passwords - a line from a song for example - that converts in your device to a jumble of unrecognizable numbers.
The string is stored on your computer and the user can then either key it in or use a biometric technique to pair themselves with the device. If they don't match, you don't get in.
The increased length of the passkey and its encrypted storage make it virtually impossible for fraudsters and hackers to identify. It verifies the identity of the user to allow them to access their computer system.
Of course, as with regular passwords, the security of passkeys is only as good as the words and characters the user selects. But because no USB hardware is required (unless you're using biometrics), you're at less risk of being locked out of your device.
On balance, we think security keys point the way forward, but it's perfectly possible to combine the two technologies to make your computer or mobile device security water-tight. Until the crooks find a way of circumventing them too!
This Week's Alerts
Ukraine twist: Romance scammers have hit on a new idea to snare victims. They pretend to be US soldiers on active service in Ukraine. They ask for money to pay for a care package, using a fake military website (that looks real). There is no publicly-known US military presence in Ukraine, so ignore these phony Romeos.
Tax refund letters: Instead of using familiar email and text messaging to reach victims, scammers have turned to snail mail to try to trick people into thinking they have a tax refund on the way. A report from the stock trading exchange Nasdaq says the crooks send out letters in official-looking, cardboard envelopes pretending to be from the IRS and asking for confidential information.
The letters apparently have all sorts of errors including punctuation and spelling mistakes as well as changes in fonts/typefaces partway through. Ditch them. And if you think you really are entitled to a refund, contact the IRS.
That's it for today -- we hope you enjoy your week!