Passwords are an ongoing problem. Security is under more pressure than ever, as usual. Google wants to replace passwords with passkeys, using biometrics and secondary processes, like unique puzzles to generate a signature.
I’m not sold. I don’t want to be totally negative, but there’s quite a lot to be negative about. To be strictly fair about this, more security probably is better security. Phishing is rampant and expensive for so many people. Ransomware is worse. Blocking these things is obviously crucial to general security.
There’s nothing wrong with passkeys in principle. I’m wary of the passkey idea on practical grounds.
It’s a bit of a shopping list of issues:
- The idea of using biometrics involves using visual media like phone cameras and peripherals like webcams and storing the images, fingerprints, or whatever. In the age of the deepfake, and deepfake-generated images, that could go very wrong. Access security problems for imaging equipment are well-known. Hacked cameras are one of the security plagues of the past.
- Access using fingerprints could be pesky. Fine-resolution biometrics could be disrupted by putting too much pressure on the pad, greasy fingers, scratched fingers, etc.
- Pin numbers are one of the “new” options for passkeys. Do you really need a whole new suite of tech for a pin?
- The layering of the passkey idea looks very like SSL, or Secure Socket Layer. This is how https works. SSL is the encrypted multi-layer security as used by banks for decades, and it’s pretty safe. SSL is very demanding to hack and is one of the main reasons hackers have to go to such lengths to steal banking information. Why go to extra lengths to deliver a system everyone already has?
- Biometrics can be very fussy. Image resolution, lighting, and similar things that can deliver facial recognition fails are well-known in the security and surveillance sectors.
- A passkey for each device you use could be a real ongoing nuisance. All you need is a laptop, a phone, and a desktop, and you could be spending time trying to access all of them at different times for different reasons. If it’s a workplace device with critical info, the stress levels could be extreme.
- Securing a device is one thing. Securing information is a different thing. Even if you can’t steal a passkey, you could try to sneak in on any insecure app or through user gullibility. Phishing could still work. The user could access anything online which would try to steal the passkey, or neutralize it, or both.
The other glaringly obvious issue is that the second a new security system is introduced, people will start trying to find ways around it and they usually do find a few. Any weak points will be exploited, and the passkey provider, say Google, instantly becomes a target. It may be unthinkable, but that doesn’t make it impossible.
This doesn’t mean Google hasn’t thought of all that. It means there may well be vulnerabilities in any system, particularly a new system, that create weak points.
At the user end, any problems will be personal and in some cases critical. If you get locked out of anything, it’s never fun. Being locked out of a device or an app can be very problematic.
I’ve just recently seen what happens when a business can’t access a workplace laptop, too. Took them 3 days to unlock it to access client data. What if the employee is fired, and won’t cooperate? You could have an overriding passkey, sure, but what if the device is compromised? The overriding passkey could be a vulnerability as well.
At this point, a bells-and-whistles biometrics-based version of SSL simply seems more difficult than just using SSL. Simpler is always better.
_______________________________________________________________
Disclaimer
The opinions expressed in this Op-Ed are those of the author. They do not purport to reflect the opinions or views of the Digital Journal or its members.
