#passkeys

#passkeys

We've excised the text, but suffice it to say that the whiteboard contains usernames and passwords for system access. It's a change from a Post-it note stuck to the screen, but it's no less likely to make a security professional shriek in horror. After all, not only is the account exposed, but anyone can use it, which renders an access log somewhat redundant.

The prospects for phishing in the era of AI could be huge. We've (arguably) moved well beyond requests for money from fake nation state princes, we're now in place where all message formats (emails, audio messages or video messages) can faked. "We are going to have to have multiple trusted channels with those who are close to us. If one channel, email, WhatsApp, Slack, etc. gets an important message, you may need to validate this on another channel.

Due to its roots in public key cryptography (see ZDNET's primer on the role of public key cryptography in making passkeys work), the passkey standard makes it possible to login to a website or app (collectively referred to as the "relying party") without the need to input your secret (your password) in order to complete the login process. In fact, the passkey standard enables relying parties to eliminate passwords altogether.

The first of these entities is the authenticator -- not Google's Authenticator or Microsoft's Authenticator, necessarily; rather, it's usually an integral component of your password manager. In fact, given the degree to which authenticators are typically built into password managers, the phrase "authenticator" is often omitted from discussions about credential management. However, since authenticators can also exist as stand-alone components (separate from any password management capabilities), it's helpful to consider their unique role as independent actors in any passkey workflow.

X (formerly Twitter) sparked security concerns over the weekend when it announced users must re-enroll their security keys by November 10 or face account lockouts - without initially explaining why. The cryptic mandate from X Safety on Friday led many to suspect a security breach was behind it. When a platform forcibly rotate security keys, it's often a sign it is working through incident response protocols - eradicating adversaries from a network and keeping them out.