Microsoft’s recent announcement that it was eliminating passwords sent ripples among computer users around the world. How can one safely secure their critical online accounts without a password? Well, not to state the obvious, but the old username/password pair is not exactly the greatest method to secure access to an account.
In fact, the move toward passwordless logins has been in the making for years. Nearly a decade ago Microsoft introduced the use of a personal identification number, or PIN, with Windows 10, and has steadily been encouraging its use over the past few years.
The Windows PIN is actually a passkey, as I discussed here a few months ago (808ne.ws/agsalud passkey). And passkeys are one of the major alternatives to passwords in a passwordless environment. Passkeys are saved on your device and activated using existing methods including biometrics such as fingerprint or facial recognition. Macs are passkey-enabled as well. Of course, biometrics are more secure than a PIN.
In addition to accessing your computer, passkeys can be established with an extensive list of websites. A good source for that is passkeys.directory. All major vendors are certain to support passkeys in the near future.
Other alternatives to passwordless logins include one-time passwords (referred to as OTP) delivered via authenticator apps such as Google Authenticator or Microsoft Authenticator, or one of several less popular apps, all of which include either “authenticator” or “auth” in their names. OTP are also delivered via plain text or email.
The “magic link” is another popular alternative for website login without a password. The link is emailed to the account on file, and that link is used to get access to the site.
Don’t miss out on what’s happening!
Stay in touch with breaking news, as it happens, conveniently in your email inbox. It’s FREE!
The obvious question: Are these methods more secure? Isn’t plain texting, or especially emailing a credential, less secure than old-fashioned passwords? After all, haven’t we been warned about the insecurity of those methods over the years? Aren’t these methods just kicking the can down the road and relying on the security of your email?
The simple answer is that most accounts are hacked via so-called brute force password attacks. That is, the bad guys throw literally millions of passwords at a website trying to log in. Eventually one hits, and voila! They’re in. Passkeys, OTP and magic links all eliminate the possibility of brute force password attacks.
What about the security of your email? Many email providers these days force you to use multifactor authentication, commonly called MFA, for your email account. And by now every organization, whether government, business or nonprofit, “should” have implemented MFA in some way, shape or form.
John Agsalud is an information technology expert with more than 25 years of IT experience in Hawaii and around the world. He can be reached at jagsalud@live.com.
