Tech firms push 'passkeys' to usher in password-free logins
A new report finds most common passwords can be hacked in less than a second.
When it comes to the password habits of Americans, there's some room for improvement. But some tech companies are hoping a new security technology known as a "passkey" may offer a solution.
Passkeys, as they're known, is a new security technology that works by having a person's smartphone generate unique cryptographic "key," which can then be used to unlock that person's various online accounts - no password required.
"If I had to use one word it would be 'lazy,'" Patricija Cerniauskaite, a spokesperson for digital security firm Nordpass, told ABC News, describing the habits of some Americans when it comes to their passwords.
A new report from Nordpass finds 83% of the most common passwords globally can be hacked in less than one second. According to Nordpass, the most common password among Americans last year was the word "guest. "123456" was the second most-common password, and in third place was, simply, "password."
Cerniauskaite says the prominence of weak passwords is nothing new, in part because of the sheer volume of accounts internet users now have to manage.
"For a general person, it's impossible to learn and remember 80 or 100 different, complicated password[s]," Cerniauskaite said. That's why, she says, many people resort to words and phrases that are easier to remember, but less secure.
"It's understandable, but it compromises people's security," she said.
Recently, tech companies including Google, Apple, and Microsoft have been rolling out passkeys to offer a solution to Americans' bad password habits.
"The server will be sending a request to your device which can only be answered by the related passkey stored there," Cerniauskaite said. "So when the passkeys are paired, you will actually be logged into your account."
"You've confirmed to your device that you are who you say you are," David Pierce, Editor At Large of The Verge, told ABC News. "And your device now goes to the website and says, 'yup, it's David.' And you're good to go."
To set up a passkey, users navigate to the login screen of an account, and select the option to sign in with a passkey (usually the option is accompanied by a small icon that looks like a person standing next to a key). Then, the account will prompt the user to log in to their phone using a face scan, a fingerprint, or other security measure.
"It replaces a password, which is a series of letters and numbers and symbols that you have memorized, with essentially biometric information stored on your device," Pierce said.
Passkeys are stored on a person's phone or computer. Experts say this is more secure than having a company oversee a server full of user passwords, which could be vulnerable to hacking.
"Even if your password is good and safe, it can be stored somewhere and often those places are hackable and that's how passwords get leaked," Pierce said. "That is much much harder to do in a case like this."
In addition, Pierce says, passkeys address the problem of "phishing" scams - where malicious actors create fake websites, designed to look like real login pages, with the intention of collecting the usernames and passwords of people who fall for the scam.
"You can't give a hacker your password anymore, you can't be socially engineered into giving someone your password," he said, because "you don't have a password anymore."
This week, Google announced that passkeys are now available for Google accounts across most major platforms. Websites like eBay, Shopify, CVS Health, Kayak, and Best Buy all support the technology - but some major players are missing. Popular websites like Amazon, Facebook, and Twitter have yet to announce passkey support. Pierce says that's likely to change as the technology matures.
"It will happen kind of, account by account, service by service, company by company," he said. "It would be great if everybody would decide to do it at the same time, but that's not likely going to happen."
There are other drawbacks to passkeys as tying authentication to smartphones also ties it to smartphone batteries.
"If I'm out in the world and my battery dies - my password manager just died," Pierce said.