October is synonymous with the European Cybersecurity Awareness Month (ECSM), a time when cybersecurity professionals around the world unite to promote awareness and share valuable insights. Throughout this month, I shared a series of LinkedIn posts that highlighted various facets of cybersecurity, including password managers, multifactor authentication (MFA), the dangers of phishing, and the revolutionary concept of passkeys.
In this blog post, I aim to distill these key messages, focusing particularly on Passkeys — the topic that resonated most with readers.
Password Managers: Your Invisible Shield Against Data Breaches
We began the month by talking about one of the most fundamental steps toward cybersecurity: managing your passwords effectively. Password managers act like invisible shields, helping you create and securely store strong, unique passwords for every online account. Why is this crucial? Because reusing passwords, though convenient, opens the door for potential attackers to gain access to multiple accounts through a single breach.
Password managers solve this problem by generating random, complex passwords and storing them securely, so you don’t have to remember them. If you’re just starting out, browser-based password tools like those in Chrome or Firefox are good first steps. However, specialized solutions like Bitwarden or LastPass offer enhanced security features and are more flexible.
Setting up a password manager is as easy as downloading the app, creating a strong master password, and letting the manager take care of your credentials from there. It’s like creating a single master key that unlocks all your digital doors—making your online presence far more secure with much less hassle. However, it is crucial to safeguard this master password carefully, as losing it could mean losing access to all your accounts. Many password managers offer recovery options, such as setting up emergency contacts or using secure backup methods, to help mitigate this risk.
But what if you could add another layer of security to make sure you are never locked out? This is where multifactor authentication (MFA) comes into play…
A tip that I shared during this post was the importance of ensuring your existing passwords haven’t already been compromised. A service like haveibeenpwned.com allows you to check if any of your credentials have been exposed in known breaches—if so, that’s your signal to change them.
The Future is Here: Passkeys as the Next Big Step in Authentication
The post that garnered the most attention throughout ECSM focused on passkeys—a modern, passwordless solution for authentication. Passkeys are set to change how we secure our digital identities, and their rise couldn’t come at a better time.
So, what exactly are passkeys, and why are they such a game changer? At their core, passkeys are a method of authentication that leverages FIDO2 technology. Instead of having a traditional password, passkeys use a cryptographic key that is stored locally on your device. Imagine a lock that only your device can open, without any keys being passed over the internet—that’s essentially how passkeys work. This approach drastically reduces the risk of phishing and brute-force attacks since there is no password to steal or guess.
Unphishable Security
One of the greatest advantages of passkeys is that they are “unphishable.” When you log in with a passkey, there’s no opportunity for an attacker to trick you into entering your credentials on a fake website. Unlike traditional passwords, which are vulnerable to phishing tactics, passkeys rely on your device to validate your identity using biometrics, such as a fingerprint or face recognition, or secure device-based PINs.
For example, if an attacker sends you a link to a malicious website and prompts you to log in, a passkey would simply not work. The cryptographic key used in the passkey authentication process is unique to each service you use, and it’s never shared with the site—meaning that only the legitimate service can authenticate the device. In a world where phishing has become an increasingly sophisticated threat, passkeys represent a significant leap forward in protecting our online identities.
Adoption by Industry Leaders
Tech giants like Google, Apple, and Microsoft have already embraced passkeys as the future of secure online authentication. This widespread adoption is critical in pushing the ecosystem towards passwordless solutions that are both simple and secure. Imagine logging into your email or favorite online store without entering a password—instead, you simply confirm your identity through your fingerprint or facial recognition. No more memorizing complex passwords, no more resets, and far fewer risks of being hacked.
Passkeys also promise greater convenience without compromising security. They integrate seamlessly into existing devices and systems, making them accessible for a broad user base. For businesses, especially those in industries like finance or healthcare, where user data protection is paramount, passkeys offer an attractive solution to strengthen authentication without adding cumbersome steps for the user.
Frequently asked Questions regarding passkeys
One question that often arises with passkeys is: What happens if you lose the device that holds your passkeys? In such cases, the ability to recover access becomes crucial. Most modern ecosystems that support passkeys, like Apple’s iCloud Keychain or Google’s account sync, provide recovery options. For instance, if your device is lost or damaged, you can restore your passkeys on a new device using cloud backup solutions—of course, only after passing through strong authentication checks to verify your identity. This approach ensures that losing a device doesn’t mean losing access to all your accounts.
Another point that deserves attention is the public-private key principle underlying passkeys. During the authentication process, a private key, which is securely stored on your device, is used to sign a challenge from the service you are logging into. The corresponding public key, which is stored by the service, verifies this signature. Essentially, the authentication is achieved without transmitting sensitive data like passwords. The service sends a random challenge, and your device responds with a signature that only the private key can produce—ensuring that the login process is both secure and seamless.
You might wonder about the security implications of local authentication methods for passkeys. Indeed, the local authentication—such as a device PIN or biometric method—is what grants access to the private key stored on your device. If a simple PIN is used, this could seem less secure than a strong password, especially if it’s the same as the device’s unlock PIN. However, the key difference lies in the fact that the private key itself never leaves the device, and the online service cannot dictate the local authentication method. This design is intentional, prioritizing user privacy by ensuring that information about local authentication methods remains on the device. The challenge here is to balance convenience with security. For higher security, using biometrics or a dedicated secure PIN for passkey access is recommended, even though services cannot enforce this requirement. This flexibility is both a strength and a potential vulnerability, depending on how users configure their devices.
Moving Beyond Passwords with Multifactor Authentication (MFA)
Until passkeys are fully mainstream, a critical step you can take to enhance your security is using multifactor authentication (MFA). We talked about how MFA is an excellent way to add an extra layer of security beyond just passwords. With MFA, you don’t just rely on a password but also add a second method—like a verification code sent to your phone, a physical security key, or a fingerprint scan.
MFA is a significant barrier against attacks. Even if your password is compromised, the attacker would still need access to the second factor to get into your account. I suggested using authenticator apps like Google Authenticator or Microsoft Authenticator, which are more secure alternatives to SMS-based codes. These apps generate a new code every few seconds, ensuring that even if an attacker intercepts your credentials, they won’t be able to access your accounts.
Evolving Threats: Phishing, Quishing, and Deepfakes
Throughout the month, we also discussed on evolving threats like phishing and its newer variant, quishing—phishing via QR codes. These attacks have become increasingly sophisticated, especially with the advent of AI. Phishing emails today look remarkably genuine, thanks to AI tools that can mimic language patterns, formatting, and even sender details, making it harder for people to distinguish between legitimate and malicious messages. One of the best indicators of a phishing attempt is the presence of psychological pressure—whether it’s an appeal to authority, time pressure, threats, or other tactics designed to create urgency and manipulate your emotions.
We also explored quishing, a method where attackers use QR codes to trick users into visiting malicious websites. While QR codes are convenient, they can be manipulated just as easily as any other link. When scanning QR codes, especially from unfamiliar sources, it’s wise to use a QR scanner that previews the link before taking you there.
Another emerging threat is the misuse of deepfakes—AI-generated videos that look convincingly real but are entirely fabricated. This technology has already been used in fraud schemes, such as tricking people into making financial transactions by impersonating company executives (for a critical view on this threat visit https://www.sueddeutsche.de/wirtschaft/deepfake-betrug-videokonferenz-hongkong-1.6344209). The key to combating deepfakes is awareness—understanding that just because we see someone say something on video doesn’t necessarily mean it’s real.
AI: A Double-Edged Sword in Cybersecurity
Artificial Intelligence plays a dual role in cybersecurity. While cybercriminals use AI to improve the precision and scale of their attacks, the security industry is also harnessing AI to bolster defenses. Tools like Gandalf are especially useful for understanding the risks associated with large language models (LLMs), which have gained significant popularity, through gamification. This makes it easier for people to understand these emerging threats and practice safer online behaviors.
By incorporating AI-driven solutions, we can detect and respond to threats more quickly. AI allows systems to recognize abnormal patterns—whether it’s an employee trying to access sensitive data they normally wouldn’t, or identifying phishing emails based on subtle language cues. However, it’s also essential to remember that AI isn’t infallible, and a human element is still necessary to catch what automated systems might miss.
Leveraging Cybersecurity Resources for Businesses
The European Cybersecurity Awareness Month is also a time for companies to harness available resources and improve their internal cybersecurity protocols. Whether through educating employees on best practices, adopting password managers and MFA, or exploring new authentication methods like passkeys, every step counts towards creating a more secure environment.
Businesses can benefit immensely from initiatives like the ECSM by holding workshops, using available materials to spread awareness, and encouraging good cybersecurity hygiene among their workforce. This not only protects the company but also enhances customer trust and loyalty. See also https://www.bsi.bund.de/DE/Service-Navi/Veranstaltungen/ECSM/ecsm.html
The Journey Towards a Safer Digital World
The journey to better cybersecurity is ongoing, and it evolves with each new challenge presented by technology and cybercriminals alike. What I wanted to achieve with my posts during ECSM was to shed light on both the threats and the solutions, empowering individuals and organizations to take proactive steps towards securing their digital lives.
The enthusiastic response to the post on passkeys shows that people are eager for a change—a future where the cumbersome and vulnerable system of passwords is replaced by something inherently safer and more intuitive. Passkeys offer that future, but until then, embracing password managers, MFA, and a heightened sense of caution against phishing, quishing, and deepfakes are pivotal measures that everyone should adopt.
Cybersecurity awareness shouldn’t end with a month; it should be a continuous endeavor, incorporated into our daily lives and routines. As we move forward, I invite you all to stay informed, ask questions, and make cybersecurity a priority—not just for the safety of your own data but also for the broader digital ecosystem.
The threats will keep evolving, but with the right tools and knowledge, so will our defenses.