What is a Pass Key and Is Now the Time To Adopt Them?

/in /by

I’m not convinced. Yet. However…

There has been recent news about a massive collection of leaked login credentials widely reported as 16 billion exposed credentials.\

The Ultimate Guide to Passwords, Password Managers, Two Factor and Passkeys

Here’s what’s important to understand about this:

It’s not a single new breach: Cybersecurity researchers, particularly Cybernews, have recently discovered approximately 30 exposed datasets that collectively contain about 16 billion compromised login credentials. This isn’t from one specific company being hacked right now. Instead, it’s a compilation of credentials that have been stolen over time through various data breaches, phishing scams, and infostealer malware, and then compiled into these datasets.

Duplicates are very likely: Since 16 billion is roughly double the amount of people on Earth, it’s highly probable that these datasets contain many duplicate entries and that individuals may have had credentials for multiple accounts leaked. It’s impossible to tell the exact number of unique people or accounts exposed.

Widespread impact: The leaked data reportedly includes login information for a wide range of popular platforms, including Google, Facebook, Apple, GitHub, Telegram, and even some government portals.

Ongoing threat: This compilation highlights the continued and pervasive threat of infostealer malware and the importance of strong cybersecurity practices.

While the exact number might be debated or slightly different across various reports, the core message is that an enormous amount of stolen login data is circulating online, posing a significant risk to individuals and organizations. Making matters worse, one report I saw stated that only 6% of those exposed credentials were unique, which means 94% were the same pass codes used across multiple accounts.

So what the heck is a Passkey?

A passkey is a modern, more secure, and convenient alternative to traditional passwords for signing into websites and applications. It’s designed to create a “passwordless” sign-in experience. Passkeys are a significant step towards a more secure and user-friendly online authentication future, widely supported by major tech companies like Apple, Google, and Microsoft.

Here’s a breakdown of what a passkey is and how it works:

What it is:

  • A digital credential: A passkey is a unique cryptographic credential tied to your user account and a specific website or application.
  • Replacement for passwords: Its primary purpose is to replace the need to remember and type complex passwords.
  • Built on strong cryptography: Passkeys utilize public-key cryptography (specifically the FIDO Alliance’s WebAuthn standard), making them highly resistant to common attacks like phishing, credential stuffing, and server breaches.
  • Device-linked: Your private passkey is stored securely on your device (e.g., smartphone, laptop, or a hardware security key).It never leaves your device.
  • User-friendly: Instead of typing a password, you authenticate using your device’s built-in security features, such as:
  • Biometrics: Fingerprint or facial recognition (e.g., Touch ID, Face ID, Android biometrics) PIN: Your device’s screen unlock PIN or pattern

How it works (simplified):

  1. Creation/Registration: When you create a passkey for an account, your device generates a unique pair of cryptographic keys:
  2. Private key: This is your actual “passkey” and is stored securely on your device (e.g., in a secure enclave, TPM, or a password manager).
  3. Public key: This key is sent to and stored by the website or application’s server. The private key never leaves your device, and the public key alone cannot be used to compromise your account.
  4. Signing In: When you want to sign in:
  5. The website/app sends a challenge (a random piece of data) to your device.
  6. Your device uses its private passkey to “sign” this challenge. This process requires you to unlock your device using your biometric (fingerprint/face) or PIN, proving that you are the legitimate owner of the device.
  7. The signed challenge (and not your private key) is sent back to the website/app.
  8. The website/app uses its stored public key to verify the signature. If it matches, it confirms your identity and grants you access.

Key Advantages of Passkeys:

Enhanced Security:

  • Phishing Resistant: Since passkeys are tied to the specific website and your device, you cannot be tricked into entering them on a fake site.
  • No Shared Secrets: Your actual private key is never transmitted or stored on the server, significantly reducing the risk of breaches.
  • Always Strong: Passkeys are cryptographically strong by design, eliminating the need for users to create and remember complex passwords.

Improved Convenience:

  • Passwordless Login: No more typing passwords.
  • Faster Sign-ins: Often a single tap or biometric scan is enough.
  • Seamless Cross-Device Syncing: Many passkeys can be synced across your devices within the same ecosystem (e.g., Apple, Google, Microsoft) or via third-party password managers, allowing you to use them on different devices without re-enrollment.
  • Better User Experience: Simplifies account creation and login processes.

Argument for: Adopting passkeys now significantly enhances security by eliminating phishing and credential theft vulnerabilities inherent in passwords. They offer a far more convenient user experience, simplifying logins with biometrics or PINs, leading to increased adoption and reduced support costs. Early adoption positions organizations for the future of online authentication.

Argument against: Passkeys aren’t universally supported across all websites, devices, and platforms, leading to potential user confusion and a fragmented experience. Account recovery can also be complex if a device is lost, and vendor lock-in remains a concern in some implementations. This lack of complete ubiquity might hinder a smooth transition for some users.

Operating System & Ecosystem Giants (who are driving much of the adoption):

  • Google: Fully deployed for Google Accounts, allowing users to sign in to their Google accounts with passkeys on Android, ChromeOS, and desktop browsers. They also encourage third-party developers to adopt passkeys for “Sign in with Google.”
  • Apple: Deeply integrated into iOS, macOS, and iCloud Keychain. Users can create and use passkeys for Apple ID and many third-party apps/websites on their Apple devices.
  • Microsoft: Rolling out passkey support for Microsoft consumer accounts (Outlook, OneDrive, etc.) and also supporting passkeys for enterprise environments through Azure AD and Windows Hello.
  • Samsung: Galaxy smartphones support fast and convenient logins through biometric authentication and FIDO protocols, including passkeys.

Major Consumer & Enterprise Companies (deploying passkeys):

  • Amazon: One of the largest e-commerce platforms to adopt passkeys.
  • PayPal: A global leader in online payments, emphasizing security against phishing.
  • TikTok: Supporting passkeys for seamless login for millions of users.
  • Adobe: Allowing passkey sign-in for their various creative cloud services.
  • eBay: Another major e-commerce player to add passkey support.
  • LinkedIn: Offering passkey authentication for professional networking.
  • Walmart, Target, Best Buy, Instacart: Major retailers and e-commerce services are implementing passkeys to improve customer experience and security.
  • Coinbase, Binance, Stripe: Leading cryptocurrency and payment processing platforms, where strong security is paramount.
  • Discord, Roblox, Nintendo, PlayStation (Sony Account): Popular gaming and social platforms.
  • Uber, KAYAK: Travel and ride-sharing services.
  • Zoho Corporation: Rolled out passkeys to its 100+ million customers across its suite of business applications.
  • Aflac: One of the first major insurance companies in the U.S. to adopt passkeys, seeing significant benefits in adoption and customer experience.

Password Managers (who are crucial for cross-platform passkey management):

  • 1Password: A leader in supporting and evangelizing passkeys, offering robust passkey management features.
  • Dashlane: Another prominent password manager that has been at the forefront of integrated passkey support.
  • Bitwarden, Proton Pass, Keeper, NordPass, RoboForm, Samsung Pass: Many other password managers are also integrating or have integrated passkey support.

If your password manager supports two-factor authentication and cross-platform passkey management, you’re likely ready for passkeys. Even without them, if you avoid reusing passwords and have two-factor authentication enabled, your security is already robust. For most users, the best approach to adopting passkeys is to implement them one account at a time to evaluate the user experience.

Robert Siciliano CSP, CSI, CITRMS is a security expert and private investigator with 30+ years experience, #1 Best Selling Amazon author of 5 books, and the architect of the CSI Protection certification; a Cyber Social Identity and Personal Protection security awareness training program. He is a frequent speaker and media commentator, and CEO of Safr.Me and Head Trainer at ProtectNowLLC.com.

Unseen Eyes: Protecting Your Privacy from Hidden Cameras on Business or Personal travel in Hotels, Rentals and Airbnb

/in , /by

Hidden Cameras: Paranoia or Preparedness?

It’s not paranoia to be concerned about hidden cameras in your private accommodations, whether it’s your apartment, a rental, or a hotel room. Paranoia is a mental health condition and shouldn’t be confused with taking proactive steps to ensure your personal security.

The reality is that millions of tiny pinhole cameras are manufactured annually, and there are individuals who unfortunately abuse this technology for voyeuristic purposes. Studies indicate that over half of people are worried about hidden cameras, and a significant percentage of Airbnb guests—between 5% and 10%—have actually discovered them.

A local news channel requested my comments regarding a landlord north of me who was secretly recording one of his tenants. In less than a couple of weeks that video has generated over 100,000 views! Too bad it’s about an icky old man praying upon a young woman. Here it is:

The pervasive problem of hidden cameras in rental accommodations

In an age where smart technology is increasingly integrated into our living spaces, a disturbing trend has emerged: the surreptitious placement of hidden cameras in rental properties like Airbnbs, hotels, and even long-term apartment rentals. While the vast majority of hosts and landlords are trustworthy, a concerning number of incidents have revealed individuals exploiting readily available miniature cameras for voyeuristic or malicious purposes. These devices, often disguised as common household objects like smoke detectors, alarm clocks, USB chargers, or even power outlets, are designed to be inconspicuous, making their detection challenging for the unsuspecting guest or tenant.

The implications of such privacy breaches are profound. Guests may be recorded without their knowledge or consent in intimate settings such as bedrooms and bathrooms, leading to severe emotional distress, feelings of violation, and potential blackmail. Beyond the immediate psychological impact, the unauthorized capture of private moments raises serious legal and ethical questions regarding consent, data privacy, and the responsibilities of property owners. As the technology becomes smaller, cheaper, and more accessible, the risk of encountering these hidden devices continues to grow, necessitating proactive measures for personal protection.

Top Ten Tips for Mitigating Secret Hidden Cameras in Airbnbs, Hotels, and Apartment Rentals

Protecting your privacy in rental accommodations requires a combination of awareness, vigilance, and basic investigative techniques. Here are ten essential tips to help you detect and mitigate the risk of hidden cameras:

Conduct a Thorough Visual Inspection:

Focus on common concealment points: Pay close attention to smoke detectors, alarm clocks, power outlets, USB chargers, tissue boxes, picture frames, lamps, air vents, and even decorative items.

Look for misplaced or unusual items: Anything that seems out of place or oddly positioned could be a red flag.

Check for tiny pinholes or lenses: Hidden cameras often have a very small lens that can be difficult to spot. Use a flashlight to help illuminate potential reflections.

Scan for Infrared (IR) Lights: Many hidden cameras use IR for night vision. Turn off all the lights in the room, draw the curtains, and use your phone’s camera (or a dedicated IR detector) to scan for small, faint glowing lights that are invisible to the naked eye. Front-facing cameras on some smartphones may work better for this than rear-facing ones.

Utilize a Flashlight and Phone Camera Lens Glare Test: In a darkened room, shine a bright flashlight around, especially at suspicious objects. While doing so, look through your phone’s camera. If you see a tiny, bright reflection, it could be a camera lens. Move your flashlight around to confirm the reflection follows a single point.

Check Wi-Fi Networks for Suspicious Devices: Many modern hidden cameras are IP-based and connect to Wi-Fi. While you can’t see all connected devices, some network scanning apps (like Fing or Network Analyzer) can show you a list of devices connected to the local network and their IP addresses. Look for unfamiliar device names or types (e.g., “IP Camera,” “Unknown Device”). This requires you to be connected to the rental’s Wi-Fi.

Listen for Faint Buzzing or Clicking Sounds: Some older or cheaper hidden cameras might emit a very faint buzzing or clicking sound, especially in a quiet room. Turn off all electronics and listen carefully.

Inspect Electrical Outlets and USB Ports: Hidden cameras are frequently disguised as USB chargers or embedded within electrical outlets. Check if these devices are unusually bulky, have extra holes, or feel loose. Unplug any suspicious chargers or power banks that aren’t yours.

Run a Privacy/Bug Sweeping App (with Caution):There are apps available that claim to detect hidden cameras or bugs by scanning for specific frequencies or patterns. While their effectiveness can vary, they might offer an additional layer of detection. Read reviews carefully before downloading and relying on them.

Cover Suspicious Devices When Not in Use: If you find something suspicious but aren’t entirely sure it’s a camera, or if you can’t remove it, simply cover it with a towel, clothing, or tape. This will block its view if it is indeed a camera.

Trust Your Gut Feeling: If something feels off or makes you uncomfortable, investigate further. Your intuition can be a powerful tool.

Document and Report: If you discover a hidden camera, do not tamper with it or remove it without documentation. Take photos and videos of the device and its location. Immediately contact the platform (Airbnb, hotel management) and local law enforcement. Do not confront the host or landlord directly.

So, when staying under another roof, where you don’t have control, remember that awareness and these 10 tips are your best defense. Stay proactive, trust your instincts, and ensure your peace of mind. Your privacy matters, and with these strategies, you’re empowered to protect it against unseen intrusions.

See Helping Survivors, a proud partner of RAINN, dedicated to assisting individuals who have experienced sexual assault or abuse, including those impacted by security failures in short-term rentals.

Airbnb Security and Sexual Assault – helpingsurvivors.org/airbnb-sexual-assault/

Airbnb Hidden Cameras – helpingsurvivors.org/airbnb-sexual-assault/hidden-camera-lawsuit/ 

Robert Siciliano CSP, CSI, CITRMS is a security expert and private investigator with 30+ years experience, #1 Best Selling Amazon author of 5 books, and the architect of the CSI Protection certification; a Cyber Social Identity and Personal Protection security awareness training program. He is a frequent speaker and media commentator, and CEO of Safr.Me and Head Trainer at ProtectNowLLC.com.