All news with #passkeys tag

🔐 Microsoft marks World Passkey Day by outlining steps to accelerate passkey adoption and reduce reliance on passwords and phishable methods. The company highlights work with the FIDO Alliance, expanded Microsoft Entra passkey support, Windows Hello device‑bound keys, and syncing through Microsoft Password Manager. It also strengthens account recovery with verified ID and biometric checks and plans to remove security questions in Entra ID by January 2027. Organizations are urged to enable passkeys and apply policies across sign‑in and recovery.

🔐 Google outlines five practical tools to make Google Account sign‑ins simpler and more secure on World Password Day 2026. Highlights include Passkeys (device-based sign-in using fingerprint, face, or PIN), recommended pairing with 2-Step Verification, and the ability to add up to 10 Recovery Contacts for account recovery. The post also promotes Sign in with Google to reduce password proliferation and Google Password Manager to create, save, sync, and autofill strong passwords and passkeys.

🔐The UK National Cyber Security Centre now recommends offering passkeys as the default authentication option for consumer accounts, saying passwords are "no longer resilient enough" for modern threats. The agency highlights that FIDO2-based passkeys rely on device-bound cryptographic keys and local verification (biometrics or PINs), making them resistant to phishing and credential reuse. Where passkeys are not yet supported it advises using password managers and strong multi-factor verification, and warns organisations to secure account recovery and fallback processes.

🔐 The UK’s National Cyber Security Centre (NCSC) now recommends passkeys as the preferred sign-in method for consumers, advising passwords only when passkeys are unavailable. This follows a year of collaboration with the FIDO Alliance, observed improvements across the passkey ecosystem and successful NHS deployments. The NCSC also urges businesses to adopt passkeys as the default and to use single sign-on (SSO) where possible, with additional business guidance expected.

🔒 This piece presents eight practical, low-cost measures CISOs and security teams can deploy to materially improve enterprise protection. Recommendations emphasize better enforcement of MFA, fuller use of existing tool capabilities, regular tabletop exercises, and adoption of passkeys for high-risk users. The focus is on disciplined execution, configuration, and human risk management rather than large new purchases.

🔐 The IAM market is shifting from traditional login and MFA toward treating identity as a security control plane, driven by demand for phishing-resistant authentication and stronger governance for non-human accounts. Buyers are prioritizing FIDO2/passkeys, biometrics, and controls for service accounts, API keys, and AI agents. Regulatory change, managed services, and vendor consolidation are reshaping architectures and procurement decisions.

🔐 This Unit 42 analysis examines how Google implements synchronized passkeys using a cloud-based authenticator embedded in Chrome and Google Password Manager. The author documents an enclave service (observed connecting to enclave.ua5v[.]com), hidden onboarding flows, and TPM-backed identity and user-verification keys that bind devices and gate access. The post explains the Security Domain Secret, device wrapping keys, the GPM PIN recovery mechanism, and the Noise/WebSocket transport used to protect device-to-cloud communications, emphasizing a novel attack surface in passwordless deployments.

🔐 X is asking users who rely on passkeys or hardware security keys (for example, YubiKeys) to re-enroll their devices for two-factor authentication by November 10 or face account lockout. The requirement stems from X’s migration from the twitter.com domain to x.com, as existing keys are tied to the old domain. Users should visit x.com/settings/account/login_verification/security_keys to disable and then re-add keys; a password confirmation is required. Re-enrolled keys will be associated with the x.com domain and will continue to work after the migration.

🔐 X is asking users who registered passkeys or hardware security keys (for example, YubiKey) as their two-factor authentication method to re-enroll their key by November 10, 2025. The company says current key enrollments are tied to the twitter[.]com domain and must be associated with x[.]com before the legacy domain can be retired. Accounts not re-enrolled will be locked until users re-enroll, choose a different 2FA method, or opt out of 2FA.

🔒 The article warns that deploying synced passkeys introduces enterprise exposure because they inherit risks tied to cloud accounts and recovery processes. It highlights practical attack vectors — including AiTM-based authentication downgrades and malicious browser extensions — that can bypass or capture passkeys. The author recommends mandatory use of device-bound, hardware-backed authenticators and strict enrollment and recovery controls to preserve phishing-resistant access.

🔐 Passkeys replace passwords with public-key cryptography, keeping the private key on the user’s device while services retain only a public key. They prevent phishing, credential stuffing, and brute-force attacks, and are unlocked by local authentication such as biometrics or a PIN. FIDO research and high-profile moves by Microsoft and Aflac highlight improved convenience and reduced support costs, but device dependency, legacy compatibility, and implementation costs remain significant challenges.