Moving from passwords to passkeys

Martin Shelton

Principal Researcher

Traditional logins versus passkeys.

(Freedom of the Press Foundation)

It’s the Digital Security Training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone has shared this newsletter with you, please subscribe here.

In the news

  • Instead of traditional passwords, where you log into a website with credentials that you know or store in a manager, a passkey is a credential that you store on your device, registered with an online account. After a passkey is registered to a service, you can nearly instantly log in using your device, typically through biometrics (e.g., a fingerprint scan) or a PIN. This approach is therefore highly resistant to phishing attacks, adding to your account security.
  • Matt Burgess, a senior writer at WIRED, chronicled his month-long experience transitioning from passwords to passkeys. While he highlights the ease of use and security benefits, he also notes the challenges of remembering which device passkeys are housed on. Did I set this up on my phone or my Macbook? Likewise, while they can be straightforward to set up and use, they are not yet supported everywhere on all major devices, browsers, and services. As he put it, “When passkeys work seamlessly, it’s a glimpse of a more secure future for millions, if not billions, of people, and a reinvention of how we sign in to websites and services. But getting there for every account across the internet is still likely to prove a minefield and take some time.” Read the article here.

What you can do

  • You can check if your favorite service supports passkeys.
  • Want to learn more about getting started using passkeys? Read our guide.
  • Many websites and services don’t yet support passkeys. If you don’t have access to passkeys on a service you care about, we’d still recommend enabling two-factor authentication wherever possible to maximize account safety. Check out our guide to two-factor authentication for beginners.
  • Passwords aren’t going anywhere just yet, and when passwords are leaked online, attackers will try to use whatever credentials they can find on multiple websites. This is why it’s so important to use unique passwords on each website, so that you can contain the impact of a breach. “But how?” you ask! A password manager will help you generate and securely store your passwords in an encrypted “vault.” Some password managers (e.g., 1Password) can also store your passkeys so they can be propagated across all of your devices. Check out our guide to choosing a password manager.

Updates from my team

  • Will you be at the NICAR 2024 data journalism conference? My colleague David Huerta and I will be there in Baltimore from March 7-10. Come say hi and grab some FPF stickers!

We are always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Best,
Martin

Donate to support press freedom

Your support is more important than ever.

Read more about Digital Security Digest

Apple warns iPhone users of targeted malware

On April 10, Apple sent users in 92 countries warning of mercenary malware attacks targeting the iPhone. The notification did not provide details about the identities of the attackers. According to TechCrunch, Apple warned, “This attack is likely targeting you specifically because of who you are or what you do. Although it’s never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning — please take it seriously.”

Preparing for election-related security issues

Throughout this year, our digital security training team will share our thoughts on navigating security issues during the 2024 election season. Elections around the world experience distinct security issues that may change from year to year, but in the U.S. we look to 2020 for lessons on how to get ahead of likely issues, from surveillance of our sensitive communications to perennial phishing attacks and harassment for political reporting.

Google to delete old Chrome Incognito data

Following a class-action lawsuit over Google’s handling of user data in its Chrome browser’s “Incognito” private browsing mode, the search company will expunge “billions of event-level data records that reflect class members’ private browsing activities” improperly collected before January 2024. It also updated its Incognito landing page to highlight that even Google can discern your activities in private browsing mode. Additionally, the company will be required to delete data that makes users’ private browsing data personally identifiable, such as IP addresses.