Google’s new passkeys will require more than your fingerprint to keep you safe

The new generation of password protection has entered its next phase with Google announcing that it will introduce passkeys to help users with passwordless login. Passkeys, which have already been around for a few years, are alternatives to passwords that rely on users’ fingerprints or eye biometric data stored locally on devices to log into accounts. While it means that logging in might be easier and more secure, efforts are currently in vain until passwords that are used alongside passkeys as an alternative are removed entirely.

“The technology itself is not new, it’s just the details of implementation and the wide acceptance of this as a standard,” explained Tal Zamir, CTO of Perception Point. “I think it is not bulletproof. They might sell it as a great new frontier, but attackers are not stupid and they’re looking at these new technologies, and they’re finding new ways to bypass them.”

Zamir celebrated that a consortium of companies – mainly Microsoft, Google, and Apple – have started implementing this new technology on their devices, which is a strong start to securing user identity against the evolution of cyber threats. However, currently, passkeys are being used alongside traditional passwords – and as long as they are still being used hackers can exploit old-fashioned methods of phishing and other attacks.

“As long as you have a way to log into your account without the passkey but with the traditional password, attackers will take advantage of this and they will try to trick you into providing your master password and second-factor authentication to take over your account,” Zamir said. “Until we completely eliminate that, there will always be a way to recover your account and then fall back to traditional authentication mechanisms.”

Perception Point protects organizations against cyber threats that usually focus on users who might be the weakest link at any given enterprise. Areas of protection include email phishing attaches, scams, or malware. The company helps other organizations prevent their users from clicking on corrupt links, secure cloud apps like Teams or Zoom, and also offers a managed service.

Passkeys represent a new era of password protection which, until now, has remained generally weak. People tend to be creatures of habit who use the same passwords for several accounts making it easy to hack several places with one attack. Two-factor authentication via email or cell phone slows the attack down but doesn’t prevent it entirely. Only passkeys (and passkeys alone) can offer the most secure way against those trying to attack you.

“As long as the password is still live it is still a problem,” he added. “But there are still some issues for users to adopt this psychologically. Passwords make you feel more in control, they’re a 1000-year-old concept. We’ve been using it since the Medieval days. People understand this and giving away this control and saying ‘We won’t use them anymore and we will just trust Google or Apple to keep my identity somewhere without me owning it’ will be something for people that is initially hard to realize and embrace.”

It is an odd feeling for some to realize that their passkeys will be, ultimately, controlled by tech companies. While they claim that the biometric data does not leave the device and is not stored on their cloud, it might take some time before people feel comfortable with this new gateway. This writer dropped his phone and damaged one of the front-facing cameras, meaning that logging into a banking or financial service proved impossible since it couldn’t read his face. Something a simple password would have prevented and a preview of how problems might look in the future.

Ultimately, Zamir believes that passkeys will be a lot safer than current methods of passwords and two-factor authentication. That is not to say that Perception Point will soon be out of work – far from it. “Attackers are switching from traditional methods of tech to more social engineering that doesn’t require any passwords… A lot of our future is around this kind of social engineering protection – and passkeys won’t protect you against that. If I’m convincing you to do something, then I am convincing you to do something. You do it with your own identity.”

Perception Point will soon be focused on protecting those who might willingly give away their information without the need to exploit password information. Think of the classic ‘Nigerian Prince’ email scam, but personalized to each victim based on AI technologies that can target specific people via a method known as spear phishing. “It’s crazy and it’s real,” he concluded. “This is a lot of our focus going forward.”

This article first appeared on Calcalistech, written by James Spiro on May 22, 2023.