Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    You Are Still Vulnerable to Password Attacks When Using Passkeys

    Roger Blog PhotoJust because you’re using a passkey doesn’t mean your password is gone.

    Microsoft is going passwordless in a new big push. As part of that new initiative, they are strongly pushing FIDO passkeys.

    I am a big fan of FIDO passkeys and FIDO in general. FIDO authentication offerings, including passkeys, are phishing-resistant, which makes them a HUGE improvement over passwords and most other multi-factor authentication products. 

    The main problem facing passkeys is that most websites (99%) do not yet support them. It is a chicken-and-egg problem. But a growing number of major websites and services do already support passkeys, and Microsoft’s new push for them is likely to increase that number significantly. And this is good. Anything that gets rid of passwords is good (at least to protect sites and services that protect valuable data and information). 

    While I love FIDO passkeys, I am also a realist. They are not perfect for every situation. I have written about the caveats here:

    If you have a choice of using a passkey over a password, choose a passkey. Although I am far happier if you use a passkey with a password manager, like 1Password, that integrates your passkey into its management product. That is because it allows you to easily use the same passkey anywhere the password product is installed. This allows you to share the same key across multiple devices and platforms. This is not yet easy to do using pure FIDO passkeys alone.

    One HUGE caveat I want to pass along.

    Most of the time, when you choose a passkey for an existing account where you have been previously using a password, your password still works to log in even after you enable passkey authentication. The site or service does not disable the password option. It only adds passkeys as another way you can log in. For every site I tested (over a dozen), this proved to be the case. 

    This means that you and attackers can still use your password to log into that site or service. That means attackers can still steal your password, still socially engineer you out of your password, still guess at your password, and still try to crack your password hash to its plaintext equivalent, if they obtain it.

    In a very real sense, this means you are using a safe login alternative, but hackers can still use the weaker password method. It is a bit ironic.

    Defenses
    Make sure your passwords for all sites are very strong. This means something 12 characters or longer that is truly random. Use a password manager to create and use strong, different passwords on every site and service, whenever you are able to use a password manager. If you must make up a password out of your head, it needs to be 20 characters or longer. No one wants to do that, so use a password manager when you can.

    When you create a passkey, be aware that your password still works.

    Second, if you start using a passkey on a site or service that allows you to disable the password option, do that. 

    For example, Microsoft will allow users to disable the password option if they also use Microsoft Authenticator. Ironically, Microsoft Authenticator is not phishing-resistant, and therefore, I am not a big fan. 

    Also, even when you are able to disable passwords while using passkeys, it would not be unheard of for a site or service to still use a password or password hash behind the scenes as part of the authentication sequence for some login scenarios. For example, with many Microsoft authentication scenarios (e.g., smartcard logins), even if you do not use a password, Microsoft still stores and uses a password equivalent hash behind the scenes. I bet there are more instances where passwords are kept and stored than any of us would immediately consider.

    This is to say, use a passkey instead of a password, but realize that your password and its inherent risks may still be hanging around.

    When I enable a passkey, and the password option is still a login option, I update the password to a very strong password (i.e., 12 truly random characters or longer), right after, just in case. 

    Turns out passkey does not usually mean passwordless.

     

    Return To KnowBe4 Security Blog

    Are your user’s passwords…P@ssw0rd?

    Employees are the weakest link in network security, using weak passwords and falling for phishing and social engineering attacks. KnowBe4’s complimentary Weak Password Test (WPT) checks your Active Directory for several different types of weak password related threats.

    wpt02Here's how it works:

    • Reports on the accounts that are affected
    • Tests against 10 types of weak password related threats
    • Does not show/report on the actual passwords of accounts
    • Just download the install and run it
    • Results in a few minutes!

    Check Your Passwords

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://www.knowbe4.com/weak-password-test

    Topics: Security Culture, MFA

    Roger Grimes

    ABOUT ROGER GRIMES

    Roger A. Grimes is Data-Driven Defense Evangelist at KnowBe4. He is a 30-year computer security professional, author of 13 books and over 1,200 national magazine articles. He frequently consults with international organizations of all sizes and many of the world’s militaries. Grimes regularly presents at national computer security conferences, and is known for his often contrarian, fact-filled viewpoints.

    Read more from Roger »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews