WordPress Plugin Flaw Let Attackers Hijack 1m Websites

andreasc
-
0
WordPress Plugin Flaw Let Attackers Hijack 1m Websites
[ad_1]
Elementor plugin Flaw

The widely-used Elementor plugin, “Essential Addons for Elementor,” has been discovered to have a security flaw that enables unauthorized users to gain administrative control, potentially impacting millions of WordPress websites.

PatchStack recently uncovered a critical unauthenticated privilege escalation vulnerability, tracked as CVE-2023-32243, in versions 5.4.0 to 5.7.1 of the Elementor plugin “Essential Addons for Elementor,” enabling potential attackers to reset passwords and gain unauthorized access to administrator accounts.

Elementor

A Flaw in Essential Addons for Elementor

The vulnerability arises from the lack of password reset key validation, allowing direct modification of a user’s password without proper authentication.

This critical vulnerability (CVE-2023-32243) presents severe repercussions such as unauthorized data access, website tampering, malware dissemination, trust loss, and legal compliance issues. Still, a malicious password reset requires knowledge of a targeted system’s username.

To avoid suspicion, the attacker must input random values for ‘page_id’ and ‘widget_id’ while also providing the correct nonce value (‘eael-resetpassword-nonce’) to validate the password reset request and set a new password (‘eael-pass1’ and ‘eael-pass2’) in the exploit process.

PatchStack highlights the availability of the essential-add-ons-element or nonce value on the WordPress site’s front-end page, as it is stored in the $this->localize_objects variable by the load_commnon_asset function. With a valid username set on the ‘rp_login’ parameter, the attacker can effectively gain control of the targeted user’s account by changing their password.

The security firm suggests that the plugin vendor effectively addressed the issue by implementing a function to validate the presence and legitimacy of password reset keys in reset requests, releasing the fix in Essential Addons for Elementor version 5.7.2, urging all users to update to the latest version promptly.

The vendor addressed the vulnerability by implementing a simple patch, utilizing the ‘eael_resetpassword_rp_data_*’ value to verify the password reset process, as the code directly reset a user password without proper verification of the reset key’s authenticity.

Vulnerability

Disclosure timeline

Here below, we have mentioned the complete disclosure timeline:-

  • 08 May, 2023 – We found the vulnerability and contacted the plugin vendor.
  • 11 May, 2023 – Essential Addons for Elementor version 5.7.2 was published to patch the reported issues.
  • 11 May, 2023 – Added the vulnerabilities to the Patchstack vulnerability database.

To ensure the secure execution of certain actions in WordPress, it’s crucial to implement access control and nonce checks and utilize the check_password_reset_key function, especially for login, registration, password reset/recovery, and database interaction.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

EHA

[ad_2]
Source link

Twitter enables encrypted messaging for verified users

andreasc
-
0
Twitter enables encrypted messaging for verified users
[ad_1]

Twitter‘s long-promised encrypted messaging feature is finally here. The initial version of the feature is very much bare-bones, but the company is just getting started. Future updates should address the limitations of DM (direct messages) encryption on Twitter. Elon Musk previously said that the plan is to make encryption strong enough that he couldn’t see your messages even if someone puts a gun to his head.

Twitter rolls out encrypted messaging with several major limitations

For starters, encrypted messaging on Twitter is currently only available for verified users, including Twitter Blue subscribers and accounts affiliated with a verified organization. Both the sender and receiver need to be verified for conversations between them to be encrypted. Additionally, the feature will only work if the recipient follows the sender or has sent a message to the sender previously, or has accepted a DM request from the sender before. Both parties need the latest version of the Twitter app as well or should be using the web client.

On top of limited availability, encryption doesn’t appear to be enabled by default for eligible users either. Twitter says that you’ll have to manually flip the “encrypted messaging” toggle on top of the screen before starting a new conversation. All subsequent messages to eligible recipients should be encrypted, which is indicated by a “lock icon” on the avatar of the recipient.  An option to “start an encrypted message” is also available on the conversation info page. You can access this page by tapping the information icon on the top-right corner of any conversation on Twitter.

Twitter’s DM encryption currently doesn’t work in group chats. It also doesn’t support any media (photos, videos) and attachments. Only text messages, message reactions, and links are encrypted. You cannot send via an encrypted conversation. Moreover, Twitter doesn’t encrypt message metadata either. So details like the recipient and creation time of a message are still not secure. The company does plan to expand encryption to cover group chats and other message details in the future, though.

Encrypted messages don’t sync across multiple devices

Another major limitation is that you cannot continue an encrypted conversation on a new device. If you log in to the same Twitter account on a new device or reinstall the app on the same device, your existing encrypted messages won’t sync with it. You’ll have to start again. You can send encrypted messages from the same account through a total of ten devices. Once you have registered ten devices, encryption won’t work for you on a new device. You cannot remove a registered device to add a new one either.

Twitter also notes that it currently doesn’t offer “protections against man-in-the-middle attacks”. That essentially means it’s still possible for a third person to see encrypted messages between two Twitter users. This includes the company itself. Neither the sender nor receiver would know if someone accessed their messages in the middle. Other limitations include the lack of forward secrecy, key transparency, and message reporting in encrypted conversations. Hopefully, Twitter will patch these limitations sooner than later.


[ad_2]
Source link

The EU issues new rules for Microsoft, Google & Amazon cloud services

andreasc
-
0
The EU issues new rules for Microsoft, Google & Amazon cloud services
[ad_1]

Microsoft, Google, and Amazon cloud services have been on the European Union’s radar for quite some time. Now they will be required to collaborate with other EU cloud service providers (CSPs) as they carry out their work. This collaboration might be a move that these big tech firms might not be willing to go into, but they don’t have a choice.

Well, for now, the bill to force these firms into this collaboration is still a draft. It aims to protect the sensitive data of citizens that are domiciled in the European Union and its regions. Because Microsoft, Google, and Amazon are non-European firms, the EU believes that they need to be under supervision.

To do this, the said bill will make these cloud service providers (CSPs) work closely with other European cloud service providers. Well, this might sound a bit bizarre to those hearing it, but it doesn’t even stop there. This article covers the necessary and available information regarding this issue and how it affects both parties.

Microsoft, Google, and Amazon cloud services will operate under the close supervision of the EU

Some sources were able to lay hands on the draft containing this requirement from the European Union. This draft contains all the requirements and restrictions that the European Union will place on foreign cloud service providers. All of this is in a bid to protect the sensitive data of those residing in any member state of the European Union.

What the European Union is saying is that only firms within their geographical boundaries can handle sensitive data. If any cloud service provider from outside the region, like Microsoft, Google, and Amazon wishes to do business, they must undergo certain procedures. Some of which include collaborating with some European cloud service providers.

More to this, the workers from firms like Microsoft, Google, and Amazon cloud services need to reside in the EU’s region. This might give the European Union the ability to keep a watchful eye on how the workers treat sensitive data. Also, all operations and maintenance of the hosting cloud service equipment must come from within the EU’s region.

So what happens if there is a breach in the data held by these cloud service providers? According to the draft, there will be some strict penalties from the cloud service provider. These requirements will put Microsoft, Google, and Amazon in a tight corner, and it will affect how they work.

For now, this bill is still a draft and might not be passed into law. But if it gets passed into law, Microsoft, Google, and Amazon would need to buckle up for a long and bumpy ride. More information on this draft concerning Microsoft, Google, and Amazon cloud services will be made available in the coming months.


[ad_2]
Source link

Risks of Leaving USB Devices & Critical Enterprise Data Unmonitored

andreasc
-
0
Risks of Leaving USB Devices & Critical Enterprise Data Unmonitored
[ad_1]
Leaving USB Devices

A USB device is a popular choice for storing data and information and, alas, a popular data theft target for hackers. In this article, we’ll cover the challenges for sysadmins and how these are addressed utilizing an often overlooked security strategy, file shadowing, that can safeguard your network.

To err is human, and to top it with a pinch of unpredictability is a perfect recipe for a colossal disaster.

– Sysadmins worldwide  

Delving into the lives of a sysadmin, it’s wise to stay a step ahead in today’s security-laden environment.

Firefighting is not an ideal solution for sysadmins; instead, being strategic and dynamic reduces uncertainties about the best way to counter cyber threats faced by the organization.

Managing myriads of devices in an organization, handling ad-hoc but “priority” tasks, and pulling all-nighters to handle security concerns are typical tasks for a sysadmin.

The tedious aspects of the job make it hard for anyone to remain continually upbeat. While that is the case with most professions, the risks in the sysadmin’s role come with a price, equivalent to a goalie’s momentary lapse that leads to an opponent’s advantage.

An oversight or error can cost your organization dearly!

Now, cast your eyes on the quote again. Associating it with a dedicated sysadmin shows how sysadmins juggle multiple tricky tasks. From an organization’s standpoint on security, the sysadmin roles allow no room for error.

Sysadmins design the organization’s network infrastructure to manage how a USB device is utilized. While controlling USB devices is pivotal, the information accessed by the devices is often sporadically managed.

It is crucial to ensure the USB devices are granted the appropriate permissions before they are provided access to the organization’s sensitive data. 

In a nutshell, we’ve defined the role of USB devices and discussed a key repercussion, file loss, resulting from improper device management.

Blocking all device access isn’t practical, as productivity would take a wild hit. If the tech-savvy world has taught us anything, it is to trust no one on the security front. So, what are we left with?

The silver bullet to this issue, file shadowing, creates a copy of the file that is deemed vital, thus protecting the file when a USB device tries to access it.

Whether creating a file copy in a network path of your convenience, excluding a file type/extension of your choice, or specifying the file size, ManageEngine Device Control Plus is your one-stop solution.

How is file shadowing different from a backup?

On the surface, file shadowing might seem more like the concept of a backup, and while it walks a similar lane, it is quite the contrary.

EHA

File shadowing helps track changes to the file, while a backup keeps a duplicated copy of the original file.

Device Control Plus provides a practical approach for framing your organization’s file shadowing policy.

This easy-to-utilize software solution breaks the concept into simpler parts for maximum customization, saving sysadmins considerable time and effort.

File shadowing in Device Control Plus can be configured in five steps

Nominate a USB device of your choice

Any USB device is eligible for file shadowing. The policy can be applied to particular devices so that only the file activities on those devices will be replicated.

Control the nature of the file to be shadowed.

The limiter for file size and file types or extensions for exclusion can be set for file shadowing. This narrowed approach ensures that only specific file types of the specified size are replicated instead of every file. 

Design the safe house for your critical files

The path in which the shadowed file resides can be configured for a user role or a group of user roles. While the user knows the file’s disk space, having a dedicated location for storing the copies is vital.

The path that is configured for a device will contain the copied file. The domain credentials to access the remote share where the shadowed data is stored can also be configured for added security.

Utilize Custom Groups to streamline policy enforcement

With a device control policy in place, applying it to a group rather than individual users makes sense. Custom Group groups users/user roles and endpoints relevant to the device control policy.

Voila! The report

Extensive audits will be generated in real-time as soon as the file shadowing policies are applied. The logs include details such as the devices, endpoints, and users involved in the operation, the file name, and the time it was shadowed. The logs are readily available and are used to analyze file shadow actions performed across the organization.

The kryptonite of file shadowing

File shadowing requires disk space and considerable bandwidth to store the shadowed data in a remote share folder. It uses file extension and size filters to ensure the shadowing is relevant.

However, files can be tracked with file tracing, regardless of the file size and extensions. However, with file tracing, regardless of the file size and extensions, files can be tracked.

Benefits 

  • Be it an accidental or intentional data loss, the file shadowing/data mirroring feature ensures that the shared folder can still be accessed and utilized, provided the data is transferred beforehand. The missing files are cross-referenced from the shared folder.
  • After extracting information from a system, any file that gets corrupted or goes missing while being transported in the USB device can be swiftly retrieved from the network share folder and restored to a location where authorized employees can regain access.
  • Critical and confidential files, such as passwords, financial records, or protected personal information, require a lot of effort and time by sysadmins when a user tries to access them.
  • Instead of frequently granting and revoking access as the file resides in a vault, with Device Control Plus, users can be granted access to the replicated data stored in network file archive remote share, a security benefit.

While this article advocates file shadowing, other features are designed to optimize peripheral device management.

With Device Control Plus, you can enforce a Zero Trust policy and only let the devices you choose have their way around the network by creating a list utilizing role-based access control.

This is a method for defining user rules based on their roles, or in other words, a hierarchical approach to manage the logs, and file tracing reports, to name a few.

Feel free to explore the features of Device Control Plus.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus


[ad_2]
Source link

Google Search to roll out ‘About this image’ feature in coming months

andreasc
-
0
Google Search to roll out ‘About this image’ feature in coming months
[ad_1]

Google will release a new feature for its search called “About this image” that reveals more information about a specific image. The feature goes live in the coming months.

Google Search is getting smarter thanks to its reliance on AI and the sum of data the company gathers on various domains. The search will now get a feature that debunks misinformation about an uploaded image and gives users insights about it.

According to the company’s blog post, the About this Image feature will “help you spot misinformation online, quickly evaluate the content, and better understand the context of what you’re seeing.”

The ‘About this image’ feature comes to Google Search

The company further explains that the About this Image feature reveals some important context to users. Including when the image and similar images were first indexed by Google, where it may have first appeared, and where else it’s been seen online (like on news, social, or fact-checking sites).

With AI being able to create almost real-life images with exceptional details, such tools will help users check the credibility of images. It also prevent the spreading of misinformation. “With our About this result tool, you can quickly see more information about a source or topic, so you can assess whether you can trust what you’re reading,” Google added.

The About this Image feature will be rolled out in the coming months. Additionally, it’ll be accessible by clicking on the three dots on an image in Google Images results, searching with an image or screenshot in Google Lens, or by swiping up in the Google App when you’re on a page and come across an image you want to learn more about.

The tech giant also adds that users could access the feature later this year by right-clicking or long-pressing on an image in Chrome on desktop and mobile.

Google is also rolling out its generative image capabilities. The feature ensures that every AI-generated image by Google has a markup on it to inform users about its main context in external platforms. Creators and publishers like Midjourney and Shutterstock could also add their own markups.


[ad_2]
Source link

Duet AI brings new AI features to Google Workspace tools

andreasc
-
0
Duet AI brings new AI features to Google Workspace tools
[ad_1]

Google is rebranding its AI efforts for the Workspace suite of productivity apps such as Docs and Gmail. Announced in March, the company is housing the new features under the Duet AI brand. The AI tools aren’t yet widely available to the general public. The firm has shared a tentative timeline for the availability of some of them, though.

Google rebrands Workspace AI features to Duet AI

Generative AI tools are the talk of the tech town lately. Tech firms are hurrying to integrate these tools into their products. Google announced its plans to bring AI features to Workspace apps in March after Microsoft added similar tools to its productivity suite. There haven’t been many updates from Google on the plans since the original announcement.

But at Google I/O yesterday, the company revealed that it’s streamlining the efforts, starting with a rebranding to Duet AI. It will cover everything from the writing assistance tool in Docs and Gmail, the image generation tool in Slides, automatic meeting summaries for Meet, and more. The writing assistant also gets a proper name — Help me write. It’s an upgrade to the existing Smart Compose tool.

These tools are available through the Workspace Labs. You can sign up to join the waitlist here (via). As noted by The Verge, the waitlist is no longer private, so anyone can join it. However, Google still doesn’t tell you when the tools will be available to everyone. All it says is that it’s working to bring Duet AI “to even more users and countries in the weeks ahead,” while providing the following estimates for feature availability.

Help me write is now available on the Gmail mobile app and rolling out via Workspace Labs starting this week. Since you don’t have access to a full keyboard on mobile phones, this tool can be pretty useful. “As you can imagine, mobile creates a whole bunch of constraints,” said Workspace VP Aparna Pappu. “And so we expect people to use far shorter prompts when asking AI to help them write mobile, and we’ve had to tune our experience there to create the best possible output with the least possible input.

Gmail contextual responses will follow the writing assistance in Workspace Labs by the end of this month. Next month, Google will add the image generation tool to Slides and a tool to organize complex projects in Sheets. Those will be followed by intelligent classification in Sheets, custom backgrounds in Google Meet, and AI building blocks in Docs. Google also plans to add an AI-powered proofreading tool to Docs. It will be available in preview to Workspace commercial users in the coming months.

Google teased a new AI tool called Sidekick

Google also teased a new feature called Sidekick at the I/O yesterday. It can analyze documents to read, summarize, and answer questions across many of its products. The tool can even provide suggestions that may improve your content. “For example, if you’re writing a story, it might suggest that you generate some images to illustrate it,” the Verge explains. Pappu described the tool as “the future of collaboration with AI” but didn’t share its availability details. We may have to wait a few more months for the Google Sidekick.


[ad_2]
Source link

Github Announced Push Protection Feature Free

andreasc
-
0
Github Announced Push Protection Feature Free
[ad_1]
Github Push Protection

GitHub is one of the largest code repository platforms developers use worldwide.

Developers belonging to an organization, individual developers, and enterprise developers use this platform to commit and push the codes inside their repository.

Microsoft took over the code repository platform in 2016, and there were several additional features after that.

In April 2022, GitHub introduced the beta version of the push protection feature for GitHub Advanced Security users.

This feature scans for potential secrets on the code being pushed to GitHub and alerts the developers on how to fix them.

Ever since the release of this feature, it has prevented 17,000 potential secrets from leaking, amounting to 95,000 hours of revoking, rotating, and remediating the exposed secrets.

The push protection feature was limited to users with GitHub Advanced Security License.

However, GitHub has announced that they will release the push protection feature free for all public repositories, which can proactively help open source developers maintain security on their code.

GitHub has partnered and worked closely with service providers (API) to enhance the push protection feature. Hence, the rate of false positives on this feature will be negligible.

GitHub also stated that if the developers are prompted with alerts on the push protection feature, it is worth investigating it.

Ger McMahon, Product Leader of ALM Tools and Platforms at Fidelity Investments, stated, “Incorporating secret scanning with push protection directly into the development workflow reduces friction, enabling developers to create secure and high-quality code.”

Push protection can detect the type of secret exposed and provide remediation steps through a prompt on their IDE or guidance on the command line interface.

Developers also have the option to ignore these push protection prompts by mentioning them as false positive, testing, acceptable risk, or can be fixed later.

However, these responses are recorded through organization or enterprise audit logs which can be investigated by security managers or administrators later.

EHA

To enable push protection in the repository, users must go to “Code Security and analysis” on their repository and enable the “Push Protection” option in the secret scanning section.

Push Protection feature. Source: GitHub

This push protection feature can also be customized based on a custom secret pattern for additional protections based on the organization’s requirements.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus


[ad_2]
Source link

HONOR Magic Vs foldable finally gets a price tag & launch date

andreasc
-
0
HONOR Magic Vs foldable finally gets a price tag & launch date
[ad_1]

HONOR has announced its latest foldable smartphone back in February. Do note that this is its global launch we’re talking about, it launched in China back in November last year. That being said, up until now, we didn’t know the HONOR Magic Vs price tag or global launch date, but HONOR just revealed both.

The HONOR Magic Vs foldable gets a price tag and launch date… in the UK

Granted, the company only revealed its price tag for the UK, at the moment. We can gather how much will it cost in other parts of Europe based on this, though. The HONOR Magic Vs is priced at £1,399, while launch offers will bring that price down to £1,199. Those launch offers will be available via the company’s official website only, though, through HiHonor.

If you’re wondering when will it go on sale, the date is May 19. That goes for the UK only, though. The phone will be available in Black and Cyan colors. Starting on May 26, it will become available via Amazon, Argos, and Very, in Black only, though. It seems like the Cyan color is exclusive to the HiHonor store.

If we convert its price tag to euros, we get a price of around €1,600. With launch offers, it could be even lower than that. That’s only a wild guess, it’s possible that the price tag will be higher in other parts of Europe, though it’s odd HONOR didn’t mention anything about that today. We do hope that the company is still planning to offer the device in more markets.

It has a ‘Super-light Gearless Hinge’ with only 4 structural components

The Magic Vs measures 12.9mm when folded, and weighs 267 grams. The company still managed to squeeze in a 5,000mAh battery in there. It also comes with HONOR’s Super-light Gearless Hinge that lowers the number of structural components from 92 to only 4. HONOR says that this hinge can withstand up to 400,000 folds, which is outstanding, actually.

The device includes a 7.9-inch outer display with a 120Hz refresh rate. The outer display measures 6.45 inches, and has a 90Hz refresh rate. This handset is made out of metal and glass.

It has three cameras on the back, and it’s fueled by the Snapdragon 8+ Gen 1 SoC. Android 13 comes pre-installed, while MagicOS 7.1 is included on top of it. If you’d like to know more about the device, check out our full review.


[ad_2]
Source link

Google’s Universal Translator tool is impressive and scary

andreasc
-
0
Google’s Universal Translator tool is impressive and scary
[ad_1]

Anytime you talk about the subject of artificial intelligence, you’re talking about something that’s morally gray and potentially devastating. The case is the same with the Universal Translator tool that Google talked about during Google I/O. The company spoke about the potential good that this tool can bring along with the potential harm (via Techcrunch).

With the introduction of Bard, the tool that can be used to create code and written content, and MusicLM, the tool that can be used to instantly generate music from a text prompt, Google definitely talked about some scary technology that could do some major harm. Universal Translator is no different.

This is a pretty Innovative technology that can help people Translate speech. The technology will take a video of someone speaking, and dub it in a different language. This will involve translating the speech and playing back an AI-generated voice that matches the original speaker’s voice and tone. Lastly, Google will use AI to sync up the speaker’s lips with the newly generated audio.

It will be as though the speaker originally recorded the video in a different language.

Google acknowledges that the Universal Translator tool can be used for harm

Artificial intelligence is, and has been, skirting the line between useful and dangerous. The use of AI-generated voices and deep-faking technology is creeping out of The Uncanny Valley and into Realism City. It’s becoming harder to distinguish between AI-generated voices and the real thing.

This means that we’re approaching the ability to generate any person saying or doing anything. Do you hate a celebrity? You can make a fake video of them saying racist or anti-Semitic things. Are you a jealous ex? Well, you can generate false videos or audio of them cheating on their current lover. That’s becoming less of an impossibility.

This is why, during the presentation, James Manyika noted the phrase “Bold and Responsible.” This means that Google, before making this technology available to the masses, will do what it can to make sure that malicious people won’t be able to use this technology for malicious Acts.

The thing is, it’s tough to see how the company will be able to accomplish this. There’s only one Google, but there are millions of malicious people out there. This could easily get out of control and cause some real harm to innocent people. We’ll just have to see how things play out and hope that Google knows what it’s doing.


[ad_2]
Source link

How to create one and when you shouldn’t

andreasc
-
0
How to create one and when you shouldn’t
[ad_1]

Google is offering users the best option to date to securing their accounts from phishing. (Hint: It’s not passwords.)

Google has just brought users closer to a passwordless future.

In a recent blog post, the tech giant introduced the option to create and use a safer, more convenient alternative to passwords: Passkeys, a form of digital credential. So, how do they work?

Passkeys are generated using public-key cryptography, or asymmetric encryption, which involves using a pair of public and private keys. The public key is stored on the side of the app or website, while the private key, a main component of the passkey, is stored on the device. Websites have no access to the value of the passkey. When a Google user logs in to their account using a passkey, Google checks if the website has a corresponding public key.

This method of authentication makes accounts significantly more resilient, because, unlike a password, the key can’t be phished, stolen from the website it’s stored on, or intercepted in transit. It also means the account cannot be subject to an attack as a result of a weak password or password re-use, because there is no password.

As the authors of the blog put it:

“Using passwords puts a lot of responsibility on users. Choosing strong passwords and remembering them across various accounts can be hard. In addition, even the most savvy users are often misled into giving them up during phishing attempts. 2SV (2FA/MFA) helps, but again puts strain on the user with additional, unwanted friction and still doesn’t fully protect against phishing attacks and targeted attacks like ‘SIM swaps’ for SMS verification. Passkeys help address all these issues.”

The blog authors identified some benefits users could get out of using Google passkeys:

  • Guaranteed access. Suppose you created a passkey on a Google account you access with your smartphone. In that case, you can use this passkey to access that Google account on other devices like a laptop. Synchronizing the passkey to the device isn’t needed as long as the phone is near the device and you approve the sign-in on your phone. If you create a passkey for your laptop—or for each device you own—you won’t need your phone anymore to access your Google account.
  • Backup” key. Some platforms securely back up your passkeys and sync them with other devices. For example, a passkey created on your iPhone will also be available on your other Apple devices if you’re logged in to the same iCloud account. This prevents a user from getting locked out if they lose a device. Passkeys also make upgrading to a new device easier, as you only need to sync it with the rest of your devices.
  • Phishing and breach protection. Because passkeys cannot be stolen, phishers won’t be able to get their hands on your account credentials. Similarly, passkeys cannot be reused or exposed in a data breach.
  • It can replace physical security keys. Google said that passkeys are “strong enough that they can stand in for security keys for users.” A security key is a physical device used to sign in to your accounts. Like passkeys, it’s another passwordless method of authentication. An example of a security key is YubiKey.

It’s worth noting that passkeys use the three common types of information used in MFA: Something you have (like a smartphone), something you are (your biometrics), or something you know (like a PIN or pattern). This makes passkeys a form of MFA. However, according to the FIDO Alliance, some regulatory bodies have yet to make this recognition, something the alliance is already actively working towards.

Minimum hardware and software requirements

Google has listed what you’ll need in order to create a passkeyWindows 10 or macOS Ventura (or later) running Chrome 109, Safari 16, or Edge 109 (or later), or iOS16 or Android 9 (or later) on a mobile device.

You also need to enable screen lock, especially Bluetooth, if you want to use passkeys on the phone to sign in to another device.

When you shouldn’t create a passkey

Passkeys should only be created on devices you personally control. That said, you shouldn’t make a passkey using a Google Workspace account through a school or employer. You also shouldn’t create one on devices you share with other people, like your family computer, as anyone using the device will have access to your Google account. Even if you sign out of your account, once a passkey is created on that device, anyone who can unlock the device can sign in back into your account with the passkey.

How to create a passkey in two simple steps

I used an iOS device here.

1. Go to g.co/passkeys to trigger the process.

first page you see when setting up passkey

You can also log in to your Google account. From the Home page, go to Security. Scroll down to How you sign in to Google and pick Passkeys as an added sign-in option. You’ll land on the same page as above.

another way to access passkey

2. Click Create a passkey. An overlay will display, confirming that you can create a passkey on the device. Click Continue.

prompt saying user can create a passkey on the device

Note: If you have your iCloud Keychain disabled, your device will prompt you to enable it.

iOS prompt asking users to enable iCloud KeyChain

And you’re done!

The first time you sign in, the computer displays a QR code you can scan with your mobile device’s camera. Once signed in, you may be prompted to create a passkey for the computer. As we’ve said, only agree if you don’t share the computer with anyone.

If in the future, you decide to stop using passkeys, Google gives you the option to remove them. You can also opt out of using passkeys entirely. In cases when devices have been lost or stolen, or the passkey goes missing or unavailable, you can check Google’s recommendations on this Account Help page.

Google isn’t the only company that has been working on an alternative to passwords. Apple and Microsoft have also announced they’ll support passkeys on their respective platforms to address password problems. 

Watch this space!

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW


[ad_2]
Source link
1...1,2351,2361,237...1,452Page 1,236 of 1,452