Big Tech Shamed for Ignoring Passkey Security

Big Tech Shamed for Ignoring Passkey Security

John Lister's picture

Instagram, Netflix and Spotify are among major companies "named and shamed" for not offering passkeys to users. The technology is an alternative to passwords and is designed to overcome two major hurdles.

Passwords rely on users remembering them, which can be difficult without reusing passwords across sites or using short, easily guessable passwords. (Password managers are one way round this problem). They also can be stolen through a hack or a user being tricked by a phishing scam where they think they are logging into a legitimate site and hand over details. (Source: techcrunch.com)

Better Security for Users

In contrast, passkeys are created by a specific device rather than covering the entire account. The passkey is then verified using the same login process as the device itself. This is usually either a biometric check such as fingerprint or facial recognition, or a physical device such as a USB security key.

This means not only does the user not need to remember anything, but it makes it almost impossible to overcome the security without physical access to the device itself. It also makes phishing much more difficult as the security check is done by the device, rather than a website, which could be bogus.

Security researcher Scott Helme was frustrated by major sites which don't offer a passkey option and found this was the case for seven of the 25 most popular websites. He's now launched whynopasskeys.com in an attempt to draw attention to such sites.

Setting Industry Standards

Helme notes he ran a similar project in 2017 to highlight major websites which didn't use https:// encryption to secure traffic to and from their customers.

He argues that naming and shaming the biggest companies isn't just about their behavior, but also the example they set to others. He says them not supporting passkeys will "shape user expectations" and make it less likely smaller sites will see it as important. (Source: scotthelme.co.uk)

Helme also notes that using passkeys is a spectrum of security and that supporting them as a replacement for a password is less secure than using them as an extra line of defense while still also requiring a password.

What's Your Opinion?

Should big tech companies be pressured or even forced to adopt better security like passkeys? Would you stop using a major service if it refused to offer modern security options? Do you find passkeys more convenient than traditional password managers?

Rate this article: 
Average: 5 (1 vote)