Has the time come to ditch your password… for good?
Passwords have provided a safe way of securing our digital accounts for decades. But a secret string of letters and numbers is no longer enough to keep your personal information safe online.
In a major and rare security warning, GCHQ, the Government intelligence, cyber and security agency, has declared that people should stop relying on passwords to protect their accounts as they have become too vulnerable to hackers.
According to the National Cyber Security Centre (NCSC), a branch of GCHQ, all passwords should be replaced immediately with something called a passkey.
So, what exactly is a passkey, how does it work and why are they more secure than a password? Here’s everything you need to know – including how to set up one up on your devices.
What is a passkey?
A passkey is a method of logging in to your online accounts, such as your banking app, social media accounts or your emails, without using a password.
It is made up of two elements. One is a short PIN code that only you know, or an alternative method of identifying of yourself, such as biometrics that read your fingerprint or identify you by your face.
The second is that the passkey is linked to one, specified device, such as your mobile phone or computer. Once you enter your PIN, your device communicates with the website you are trying to log in to, to confirm it is you and grant you access.
A passkey is made up of two elements. One is a short PIN code that only you know, or an alternative method of identifying of yourself, such as biometrics that read your fingerprint or identify you by your face
That means that to log on using a passkey, you will need to both prove your identity and to use your specified device.
So, even if someone knows your PIN, for example, there is no risk that they will get into your account unless they also have your device.
Have you ever unlocked your phone by entering a pin number or using face ID? If so, you have used a passkey – even if you didn’t know it at the time. It is this same technology that is being rolled out and that should ultimately replace passwords.
What is the difference between a passkey and a password and why is it better?
Passkeys should be easier to use than passwords because you don’t have to remember long strings of letters, numbers and symbols for your various online accounts.
When you go to log in to an online account you should only have to put in your username and then scan your fingerprint, your face or enter a PIN code to log in.
But the greater benefit is that they should be much more secure.
Cyber criminals have become very proficient in stealing passwords. They may do this by tricking you into handing yours over – for example on copycat websites that look like trustworthy ones. They also gain access to passwords through hacking company websites and databases and sharing or selling this to other criminals online.
Although we are often told not to, many people use the same password multiple times across several websites, because it’s easier to remember one than having several. But that means that once a criminal has your password for one account, they can break into others as well.
Cyber expert Robert Pritchard says: ‘The problem with passwords is that people reuse them. This means hackers can get into multiple accounts with one password. And people are also easily convinced to give that password away to fake websites, in a scamming technique called phishing.’
Passkeys are much harder to exploit. You need the device itself to log in with the passkey, so scammers cannot do so remotely.
Cyber security expert Colin Tankard says: ‘Your money is much more secure because you need to have the device and the pin to activate the key.
‘In financial transactions this can help you avoid something called a man in the middle attack. This is where you are using a banking app on a public Wi-Fi network and hackers monitor the network to pick up the passwords you have entered on there.
‘It’s far harder for hackers to gain access through a passkey this way.’
There are a few security features that should protect your details if your phone is lost or stolen… a thief would not have access to your biometric data, and it would be hard for them to crack a PIN code
What if your phone is stolen?
If you keep your passkey on your phone and it is snatched away, you might fear that all your accounts are now exposed. But there are a few security features that should protect your details.
Firstly, even if your phone is stolen, the thief would not have access to your biometric data (your fingerprint or your face). It’s not possible to use a picture of your face to bypass biometric scanners – the technology usually projects invisible dots across your physical face to ensure you are indeed in front of the camera, something that can’t be recreated by a photo
If you use a PIN number as your passkey, this would also be hard for a criminal to crack. They would have to guess your PIN and input it into your device manually – that in itself would restrict the number of guesses they could make because the process is time consuming. But, on top of that, most passkeys have a limit on the number of times you can input the wrong PIN before the account is locked. For example, an iPhone usually locks you out of your account after ten incorrect attempts.
Of course, there is always a risk that the criminal makes a lucky guess – but you can reduce the chances by picking a PIN that is not obvious – avoid, for example, 1-2-3-4 or 0-0-0-0 or your date of birth.
Remember that with a passkey, you are only trying to keep out a criminal who has got hold of your device. With a password, you are battling against any number of hackers who could use sophisticated technology to crack your password or try to access your account remotely.
If the thief does know your PIN code, you should still be able to remotely shut down the accounts before the hacker gets in.
You can do this by using a service such as Find My if you have an Apple device or Find My Device for Google devices to wipe them remotely. These can be accessed on your computer as soon as you get home.
The recovery process can be cumbersome however, so try and set up an alternative device you keep at home, such as a laptop, with a passkey, to allow you to access your accounts even if you lose one of your devices.
Mr Tankard says: ‘Nothing is 100 pc safe but using a passkey reduces the risk of being hacked significantly compared to using a password.’
How do you switch your passwords to a passkey?
There is no central system for swapping all your passwords to passkeys.
If you want to set up a passkey instead of a password on your accounts you have to go to the website or the app where you want to make the switch one by one – but you can follow the same process if you use an Apple or Google phone.
Companies and websites that offer a passkey should give you the chance to use it when you go to their ‘log-in’ page.
Until passwords are scrapped for good, the other way to further secure your data against password theft is to set-up two factor authentication
For example, if you attempt to log in to your Google account, a message should pop up offering you the option of setting up a passkey instead of your password. You will then register your specific device, set up a PIN code and choose if you want to use your biometrics to log in. If you have a smartphone, this means you can log in using your face or your fingerprint, rather than typing in your password. You should be able to do this with any smartphone with biometric features.
One important caveat is that most websites and apps will not disable your password entirely. This is because passkeys are not universally implemented yet, so most companies offer it as an alternative method to log in.
The hope is that once people understand and use passkeys regularly, passwords can be scrapped entirely. In that sense, the sooner we all become familiar with them, the better for everyone. But, until all web-services move to passkey only systems, your accounts are still vulnerable to someone using your password.
Until passwords are scrapped for good, the other way to further secure your data against password theft is to set-up two factor authentication.
This is slightly different to a passkey as it is an extra layer of security to your password. Two-factor authentication usually requires you to provide two forms of identification to access an account, for example a password and a temporary code, which is sent to your phone or email.
While a lot more secure than just using a password, two-factor authentication is not as secure as passkeys. This is because your second code can also be ‘phished’ remotely. For example, if you are on a call with a scammer who is posing as an official from your bank and they ask you for the code, your account could be compromised as they can use that to log in. You could also accidentally input the code into a fake website found in a phishing email.
Whereas a passkey will only work on your device and will not work on a fake website.
How quickly can you set up a passkey?
While it should only take a few minutes to set up a single passkey, it could take a long time to go through all the regular websites you use and switch them over.
It might be easier to switch over the most essential accounts, such as your bank accounts, emails and social media accounts first.
To test how easy it is to set up a passkey, Money Mail tried to set one up for various accounts.
Some accounts are easier to set up than others. Processes vary by website but we found that for iPhone owners, using Apple’s Keychain option was the most straightforward. Google also uses a system called Google Password Manager, which is equally easy to use.
If you have an iPhone, make sure you have ‘iCloud Keychain’ activated by going to settings and then iCloud, to passwords. Then tap sync this iPhone to turn on iCloud passwords and keychain.
Now this is done, it should take seconds to set up a new passkey. For this example we tried to set it up on WhatsApp. After opening the app, tap ‘you’ in the bottom righthand corner. Then tap ‘account’ and then ‘passkeys’. After tapping ‘create new passkey’ and tapping ‘Keychain’ – your passkey is automatically set up. This took less than 10 seconds.
Now to log in to WhatsApp on your phone, it requires the passkey, or, in reality, your face.
In theory, you can use laptops or desktop computers to set up a passkey, but it is often not straightforward as most do not have the modern biometric scanning abilities that smartphones do. If you have an older computer that does not allow passkeys to be set up, you may have to use a password for now.