We’ve been discussing passkeys a fair bit here in recent weeks, and by coincidence last week the UK’s National Cyber Security Centre released a new paper and guidance on the topic.
- General guidance document: Passkeys: what you need to know
- Press release: NCSC: Leave passwords in the past – passkeys are the future
- Technical paper: Comparing the security properties of traditional user credentials and FIDO2 credentials for personal use
Below are a handful of quotes from the publications. Please note how strongly worded these statements are. And these are from a governmental cybersecurity organization, which is presumably being very intentional with its wording.
From the “what you need to know” document:
“Passkeys are a more secure alternative to passwords that you don’t need to remember as they are created and managed safely by the software on your device(s). […] The NCSC supports the public adoption of passkeys and recommends using passkeys over passwords wherever available.”
From the press release:
“Passwords are no longer resilient enough for the contemporary world.”
“Passkeys should now be consumers’ first choice of login across all digital services, the UK government’s technical authority on cyber security has announced today (Thursday).
Overhauling decades of security practice, the National Cyber Security Centre […] has taken the decision to no longer recommend individuals use passwords where passkeys are available because passwords lack the relative resilience to modern cyber threats.”
From the paper:
“At all stages of a credential’s lifecycle, and against all commonly observed attacks, FIDO2 credentials including passkeys are as secure or more secure than all forms of traditional MFA for individuals.”
Also of note (from the press release):
“Where a particular service does not support passkeys, the NCSC’s advice to consumers is to use a password manager to create stronger passwords and keep using two-step verification.”
If you want to read the paper (or even just the “Summary and recommendations” section at the end of the paper), a few points on terminology might be helpful:
- The word passkey itself is a colloquial term, and its exact usage varies a bit from one case to another.
- FIDO2 credential is a technical term for what would often colloquially be called passkeys.
- When this paper uses the term passkey it is specifically referring to passkeys synced via the cloud. It uses the terms single-device passkey or device-bound FIDO2 credential to refer to what we might think of as passkeys stored on a single device, not synced to the cloud.
- Sync fabric refers to whatever system is being used to store your passkeys in the cloud and sync them across devices (e.g., Apple Passwords, Google Password Manager, etc.).
- Relying party refers to whatever website or app you’re logging into when using a passkey.
Other Recommended Reading/Viewing/Listening
- Causes We Love: Turning Students into Investors (Bogleheads Conference session, in which I interviewed Cole Mattox and and Dylan Ingerman of First Generation Investors)
- Analyzing the Analysis: How Do AI Portfolio Recommendations Hold Up? from Allan Roth
- Can Millennials Count on Social Security? (in which I was interviewed for the How to Money podcast)
- Why Social Security Faces a Financial Reckoning Just a Few Years From Now from Alicia Munnell
- Social Security is Slowing Down. Here’s How to Get Your Benefits On Time from Mark Miller
- 2 Ways to Actually Reduce Smartphone Use from Cal Newport
- Private Assets May Be Coming to Your 401(k). You Should Know the Risks. from Tara Siegel Bernard (NYT)
- IRS Finalizes Deduction Rules for Tips, Adds 3 Eligible Jobs from Martha Waggoner
- Russia Hacked Routers to Steal Microsoft Office Tokens from Brian Krebs (Don’t use an old router!)
Thanks for reading!
What is the Best Age to Claim Social Security?
Read the answers to this question and several other Social Security questions in my latest book:
| Social Security Made Simple: Social Security Retirement Benefits and Related Planning Topics Explained in 100 Pages or Less |
Disclaimer:Your subscription to this blog does not create a CPA-client or other professional services relationship between you and Michael Piper or between you and Simple Subjects, LLC. By subscribing, you explicitly agree not to hold Michael Piper or Simple Subjects, LLC liable in any way for damages arising from decisions you make based on the information available herein. Neither Michael Piper nor Simple Subjects, LLC makes any warranty as to the accuracy of any information contained in this communication. The information contained herein is for informational and entertainment purposes only and does not constitute financial advice. On financial matters for which assistance is needed, I strongly urge you to meet with a professional advisor who (unlike me) has a professional relationship with you and who (again, unlike me) knows the relevant details of your situation.
You may unsubscribe at any time by clicking the link at the bottom of this email (or by removing this RSS feed from your feed reader if you have subscribed via a feed reader).