Passkeys, password managers, and two factor authentication: Tips for keeping your nonprofit secure
On June 9, 2022, at the 2022 Apple Worldwide Developers Conference (WWDC22), Apple announced its plans for iOS16. One major feature is Passkey, which will allow users to get away from passwords and utilize a more secure way to lock down their accounts.
Here’s how to take advantage of passkeys and other offerings to keep your nonprofit secure.
Thou shall not pass…word
Since the beginning of the internet passwords have been king. Every time you create a new account you are forced to create a new username and password combination. With an average user having upward of 50 accounts, it’s important to make sure that each account has a unique and complex password. This is a big ask—one that has proven to be a challenge for many users. A report from NordPass shows that the most commonly used password was “123456” and could be cracked in less than a second. It doesn’t help that many are using the same password for multiple accounts, making access even easier. Thankfully, Passkey, password managers, and two-factor authentication (2FA) can help combat that.
What is Passkey?
In June Apple announced it was going to add a feature called Passkey, which will allow users to sign in directly from their device using their fingerprint, face, or PIN. This means that the user signs in strictly from the device, not with help from tools like a text message. This major process shift wasn’t just an Apple brainchild, however. In a 2022 press release by Apple, the company talks about how it will be joining Google and Microsoft to help push support for the passwordless sign-ins that are being created by the FIDO Alliance and the World Wide Web Consortium. This is the first step to making the entire internet capable of having a “passkey” based system.
How does this impact your nonprofit? The short answer is it doesn’t quite yet. Apple is planning a September release for iOS16, which we will be sure to test to let you know how to use it. Until then, make sure to keep current accounts secure by using password managers and 2FA.
Complexity is key
Anyone knows that it’s proven difficult to have complex passwords that are easy to remember. This is where a password manager comes in handy. A password manager is essentially an encrypted version of your “password book” where you can store, create, and change your passwords. You can take all those accounts you have and move them to your vault, and a password manager will suggest a much more complex password for you. Now, you’re only tasked with remembering one strong password instead of using the same password for everything in order to make your life a little easier.
There are many password managers out there to choose from— LastPass and 1Password are favorites of mine. Both of these companies have options for personal and business accounts that allow for shared vaults and a more secure way to share passwords. As a nonprofit dealing with remote work, volunteers, and other needs, it’s important to keep track of who has access to your passwords—having a password manager doesn’t stop you from getting a password through data leaks, negligence, or other factors, but it does help ensure that when a hacker has access to one password they can’t use it for other accounts.
Two is always better than one
You have your password manager and a complex password for all your accounts, so you’re feeling way more secure (and you are). Then you get an email saying that there was a sign-in to your account and it wasn’t you. A person gets your password and now they feel like they have access to your account, but there is one more roadblock you can put in their way: 2 factor authentication (2FA). 2FA helps keep your site secure by making you prove your “identity” even after you use the correct password. There are three forms of 2FA, and while any 2FA method helps you stay secure, some will help more than others.
- Short Message Service (SMS)—Least Secure—With this method, you add a phone number to your account, and when you have entered a successful username and password, you will be sent a text message with a code. Users enter the code on the screen where prompted to be granted access.
- Authenticator App—Moderately Secure—With this method you’ll need to download an authenticator app on your mobile device or within your password manager. There are a few options for this but a few are Google Authenticator, Authy, LastPass Authenticator, or 1Password. Once you have your authenticator, your specific account will give you a token that attaches your account to your authenticator. Once you add the token to your app you will see a one-time code appear. You copy the code each time you log in and use it when prompted. These codes stay on your device locally which adds an additional level of security.
- Security Keys—Most Secure—With this method, you actually have a physical object that you use to confirm your identity. They come in many different shapes and sizes, but generally, they are USBs with some of them using Near Field Communication (NFC) for wireless use. These keys are most secure because the person who logs into the account must have this on your person. One of the most common security keys is a YubiKey. Once you successfully log in to your account you will be prompted to insert your security key into a USB or near the device for NFC and that will act as your 2FA.
Be continually cautious
Even if you take advantage of every security method out there, there’s one more factor to take into consideration: human error. No matter how much you lock down your accounts, hackers and bad actors will also target a person. Always be careful when you get a questionable email saying your account has been reset. Be sure to go to the account directly and check for any unwanted activity. If you are prompted to sign in to something from an email link, always double-check the link and the sender. We as individuals and organizations owe it to ourselves, our clients, and our donors to ensure that we are being as safe as possible.
Looking for more on keeping your nonprofit’s data secure? Let’s get started.