Passkeys are being hailed as the future of online security, promising to replace passwords and protect against phishing attacks. However, a recent warning from both Google and Microsoft highlights a critical oversight: passkeys alone are not enough to safeguard your accounts. The issue lies in the potential exploitation of weaker recovery methods, such as passwords and SMS recovery options, which can still provide an entry point for hackers.
Google emphasizes the importance of two-step verification (2SV) even when using passkeys. This additional layer of security is crucial in preventing unauthorized access, especially when an attacker can impersonate a user and claim a lost passkey. Google recommends using Google Prompts or an Authenticator app, which offer a more secure alternative to SMS one-time codes.
Microsoft, in its own advisory, underscores the need to eliminate all phishable credentials, including passwords and SMS methods, to ensure the effectiveness of passkeys. The company warns that as passkey adoption increases, traditional attack methods are being shut down, but this also opens up new attack surfaces, particularly in account recovery processes.
The key takeaway is that passkeys are a significant improvement over passwords, but they should not be considered a standalone solution. Users must take proactive steps to strengthen their security by disabling SMS codes and implementing 2SV. By doing so, individuals can significantly reduce the risk of falling victim to cyberattacks and protect their valuable online accounts.
In the ongoing battle against cyber threats, staying informed and adopting a multi-layered security approach is essential. As technology evolves, so do the tactics of cybercriminals, making it crucial for users to stay vigilant and adapt their security measures accordingly.
