\n<\/p>\n
Passkeys may not stop hackers.<\/span><\/p>\n getty<\/small><\/div>\n<\/div>\n<\/figure>\n Passkeys are supposed to replace passwords and stop phishing attacks. But Google and Microsoft warn that passkeys alone are not enough if weaker recovery methods remain attached to accounts. \u201cEach account is only as secure as its weakest credential,\u201d Microsoft says, warning that passwords and SMS recovery options can become a new attack surface even after passkeys are deployed.<\/p>\n \u201cPasskeys are an easier and safer way to access online accounts compared to passwords,\u201d Google says, \u201cand even traditional multi-factor methods.\u201d But passkeys are not 100% safe on their own. In a new warning to its account holders, Google<\/a> says \u201ceven when you normally use a passkey, it\u2019s important to secure your account with two-step verification<\/a> (2SV).” You need this in case \u201csomeone tries to impersonate you and claims to have lost your passkey.”<\/p>\n Forbes<\/span>\u2018A Big Deal\u2019\u2014Google\u2019s Gmail Upgrade Is Now Going Live<\/span>By Zak Doffman<\/span><\/small><\/span><\/span><\/p>\n If there is an automated recovery process that exploits weaker credentials to bypass a passkey, then that passkey is not 100% safe \u2014 it really is that simple. Attackers can target recovery flows and fallback credentials instead of passkeys.<\/p>\n This is an interesting twist \u2014 because much of the rhetoric is that a passkey alone is<\/em> enough. But Microsoft<\/a> flags account recovery as a new attack surface, as the surge in passkey use shuts down traditional attack methods. <\/p>\n \u201cDeploying passkeys improves sign-in,” Microsoft says. “But most accounts still have a password or SMS method attached ‘just in case\u2019 \u2014 and as long as those credentials exist, they\u2019re an attack surface.\u201d<\/p>\n Prevent hackers accessing your account. <\/span><\/p>\n Google<\/small><\/div>\n<\/div>\n<\/figure>\n The best recovery method is to use your account passkey on a different device to complete a recovery step. As a back-up, Microsoft says a process that pushes users to provide ID and a face scan is best. \u201cAs NIST recommends, high-assurance recovery requires government-issued ID and biometric verification.\u201d<\/p>\n Microsoft\u2019s advice is aimed at enterprise users \u2014 Google\u2019s primarily at home users. That\u2019s a major difference, but it doesn\u2019t remove the threat. Gmail and other Google accounts are high-value to cyber attackers, and remain under attack.<\/p>\n Google tells users to add 2SV to \u201cprevent hackers from accessing your account with an additional layer of security.” But given an attacker can use Google\u2019s account recovery process, pretending to be you and claiming a passkey has been lost, the form of 2SV becomes more critical than ever. There are two types you should use. Google Prompts and an Authenticator (which can be an app on your phone).<\/p>\n Forbes<\/span>Has Google Secretly Changed Your Chrome Settings?<\/span>By Zak Doffman<\/span><\/small><\/span><\/span><\/p>\n