Nexus -
info_outline
Stay signed in to save your points and redeem your rewards at Nexus

Your Rewards are Waiting!

Stay signed in to save the points you've earned. Click on the points to redeem your rewards at Nexus before they expire.

Login In Now
Cybersecurity

Why you need to stop using passwords and switch to this secure alternative now

By Chloe Aiello
Experts say that switching from passwords to passkeys whenever possible is one way to reduce the risk of remote phishing attacks that target employee login credentials. — Pixabay

If you’ve been hearing a lot more about passkeys recently, there’s good reason for it.

After becoming more widely available in 2022, passkeys have surged in popularity, driven by ease of use and increased security over the traditional password. The FIDO Alliance, the consortium that drove the development and adoption of passkeys, noted in a 2026 survey that some five billion of them are now in use globally and about 90 percent of people are aware of them. The first Thursday in May, which was once known as World Password Day, has even rebranded to World Passkey Day.

The surge in passkey adoption comes even as phishing and sophisticated AI-powered hacks have made protecting yourself online more important than ever. Experts say that switching from passwords to passkeys whenever possible is one way to reduce the risk of remote phishing attacks that target employee login credentials.

“The passkey is a key element–not a magic solution–to eliminating that risk,” says Eric Sachs, corporate vice president of identity and network access at Microsoft. “You’ll still have other cybersecurity problems now with AI, but if you can get rid of the number one risk, you can turn your attention somewhere else.”

What are passkeys, anyway?

Much like a password, passkeys are a mechanism for logging into a website. But rather than a series of numbers, letters, and symbols created by a person or a password manager to access any number of sites, they are random bytes of data and access only one specific website.

They consist of two parts. This first is a verification from a device (or password manager) that the person attempting to log in is exactly who they say they are. The second is the transmission of the actual passkey to a specific website. Gary Orenstein, chief customer officer at password manager Bitwarden, describes the process as a “dedicated handshake between the provider and the user.”

“Part of the passkey protocol is to authenticate that it is you accessing the passkey,” Orenstein adds. “The other part is the exchange with the website. A website that is looking for a passkey will issue what’s called a passkey challenge, and only your passkey is going to solve that.”

How do they work?

According to Microsoft’s Sachs, passkeys rely on a user’s proximity to their device. That can be confirmed with biometric data (like a fingerprint or face scan), a complicated pin, or even Bluetooth.

“Either they are on their phone and then they have to press their finger, or use their camera. There’s a version of passkey that works over Bluetooth,” he says. “Both of them make sure that the person logging in is physically near, and as long as you have that ‘proximity signal,’ then you don’t worry about remote attackers.”

Sachs says that for those who choose to use biometric verification, that information is stored locally on a device, and never leaves it. Furthermore, on privacy, he notes that “there isn’t an explicit need for your passkey provider to remember what sites you’ve been into.”

What problem do they solve?

As Sachs mentioned earlier, passkeys are primarily designed to address phishing, a hacking tactic that involves impersonating legitimate people or organisations to pressure victims into supplying credentials. Cybercriminals who are phishing for credentials will often spoof websites, meaning they’ll create lookalikes that trick victims into entering their credentials, which the criminals then use to steal money or data, or extort organisations.

While it’s relatively simple to trick a human into believing a malicious website or communication is legitimate, it’s not so easy to trick a device or browser.

“It’s a way for your browser to know which credential goes with which website and never send it to the wrong website,” says Jacob Hoffman-Andrews, senior staff technologist and leader of the Let’s Encrypt project at digital privacy nonprofit Electronic Frontier Foundation. “It’s easy for people who are stressed or in a hurry to type their password into the wrong website. But browsers don’t get stressed, and they don’t get hurried, and they byte-for-byte know exactly which website they are on at all times.”

Orenstein says that people’s tendency to use the same password for numerous websites also exacerbates the damage of phishing attacks–and passkeys solve for that, too.

“One of the best parts about passkeys is that they are specific to an individual user and an individual website,” he says. “Most of the fraud and scams that are happening today is due to phishing, where you get somebody’s Google or Apple or Netflix password, and they happen to use the Netflix password for their bank, too.”

Passkeys are not infallible, but cybercriminals don’t target them as often, because the payoff is more minimal than for passwords, Orenstein says. And Sachs, meanwhile, likened login credentials for a website to the “front door” of a home. While passkeys can substantially help secure the vulnerabilities of the so-called front door, a platform that has other weaknesses will not be impervious to a cyberattack.

Passkeys may seem complicated, but the takeaway is simple: If you are given the option to set one up, you should probably take it. Your data and your privacy will thank you. – Inc./TNS

Related stories:
Follow us on our official WhatsApp channel for breaking news alerts and key updates!

Trending in Tech

Others Also Read

Load more

Copyright © 1995- Star Media Group Berhad [197101000523 (10894-D)]

Best viewed on Chrome browsers.