The answer may surprise you, but not cybercriminals.
How secure you can be online comes down to what authentication methods you use across your accounts.
Aside from traditional passwords, some of the most widely used authentication methods, like SMS-based one-time passcodes, are free for the user but are also the most insecure; and they come with hidden long-term costs and heightened risks.
In reality, when it comes to protecting your digital identity, it is important to understand and weigh the benefits of each option available and what works best for your personal risk model.
The hidden costs of passwords
Passwords alone have proven to be inadequate for securing online accounts. People often reuse passwords across multiple accounts, making it easier for attackers to compromise their digital identities.
Basic, formulaic and recycled passwords are easily exploited and may lead to monetary and legal consequences. However, passwords are still a necessary evil for the majority of applications, so consumers must use strong passwords and find an incredibly secure and easy way to store them.
Investing in a good password manager is a good way to overcome this challenge. For the strongest protection, it is advisable to use hardware-based multi-factor authentication (MFA), such as a security key.
Not all MFA is hack proof
Not all multi-factor authentication methods are created equal and originally designed with security in mind. In fact, the most common (and free) MFA solutions deployed over the last 20 years, like the codes that are sent via SMS, or even authenticator apps and others, often require memorization and a phone connected, charged and in working order.
Prior to the creation of hardware security keys, users had very few options for authentication, and none of which was truly phishing-resistant. This included a time-based device that required batteries (which could die at the most inconvenient times) and a ‘push app’ that required the user to have their phone with them at all times and internet connectivity.
All of these legacy authentication methods have proven to be susceptible to various schemes hatched by cybercriminals.
Biometric security is also vulnerable
Unlike a password that can be hacked or stolen and leaked, biometric information is much harder to steal — but it is not impossible for cybercriminals to bypass. In the past, a commonly used fingerprint database was compromised and peoples’ fingerprint images were stolen and used for unauthorized access.
Another technique to get around a popular biometric security method commonly used by Microsoft (Windows Hello) and Apple (Face ID), is facial spoofing, in which a fraudster tries to bypass a facial recognition system by presenting a faked face to the camera.
How to be phishing-resistant
Passkeys are a modern phishing-resistant MFA option that seamlessly authenticate users by using cryptographic security “keys” stored on their computer or device.
Such security keys are considered a superior alternative to passwords and legacy authentication methods since users are not required to recall or manually enter long sequences of characters that can be forgotten, stolen or intercepted.
Another benefit of passkeys is that they can be used across a number of devices. Device-bound passkeys like a hardware security key are more secure options and are designed specifically to be as easy-to-use (or more) as traditional authentication methods — they do not require batteries or a wireless connection to work.
Put simply, passkeys are a more secure authentication method because they are phishing-resistant but are still easy to use — making the transition to passwordless more seamless. Acknowledging that it will take some time to completely eliminate passwords, everyone can fortify online security with a reputable password manager, coupled with the added protection from phishing resistant MFA.
