Your phone, computer and tablet is now at risk, as the nightmare of AI-powered attacks comes true. There are now multiple warnings into the use of mainstream AI platforms to design, develop and even execute attacks that are almost impossible to detect.
To add to recent reports from Symantec and Cofense, Guardio also now warns that “with the rise of Generative AI, even total beginners can now launch sophisticated phishing scams — no coding skills needed. Just a few prompts and a few minutes.”
And Microsoft has just told users the same. “AI has started to lower the technical bar for fraud and cybercrime actors looking for their own productivity tools, making it easier and cheaper to generate believable content for cyberattacks at an increasingly rapid rate… AI-powered fraud attacks are happening globally.”
Little surprise that new security measures are required — kind of. In reality, we already have most of what we need, the problem is most of us are still not updating our accounts. That needs to change and change now. And Microsoft is leading the way.
Microsoft says “the password era is ending. Bad actors know it, which is why they’re desperately accelerating password-related attacks while they still can.” The company blocks “7,000 attacks on passwords per second—almost double from a year ago,” but “fortunately, we’ve never had a better solution to these pervasive attacks: passkeys.”
Passkeys replace password and two-factor authentication (2FA) codes with account authentication linked to the security of your hardware device or devices. If an attacker doesn’t have your phone, tablet or computer, they can’t login. There’s no way to steal, bypass, copy or leak a passkey. And with device security now much better hardened, this has become a simple, easy-to-use equivalent of a physical security key.
Passkeys won’t stop an AI attack tricking you into clicking a malicious link. As Microsoft says, AI can “help cyber attackers build detailed profiles [and] highly convincing social engineering lures” that are designed specifically to fool you. But the credential stealing website will ask for a username and password, maybe even a 2FA code, to enable an attacker to log in to your account on their device. It won’t be able to steal your device-linked passkey. That’s why Google’s new AI attack warning suggests this same solution.
But while Google also says it is keeping passwords in place as a backup option, Microsoft warns this is a bad idea. “If a user has both a passkey and a password, and both grant access to an account, the account is still at risk for phishing.” The company is on a mission to phase out — delete — passwords from accounts, and wants to do that for more than a billion users as soon as it can.
“Our ultimate goal,” Microsoft says, “is to remove passwords completely and have accounts that only support phishing-resistant credentials… millions of users have deleted their passwords and protected themselves against password-based attacks.” Now it is running a campaign to convince the rest to do the same.
I would like to see this same simplicity of messaging from Google and others, to make password deletion a focus rather than just passkey adoption. But we start with adding passkeys to all our accounts, which is the biggest step almost all of us can take.
To set up a personal Microsoft passkey:
- “Sign in to your Microsoft account Advanced Security Options.
- Choose Add a new way to sign in or verify.
- Select Face, fingerprint, PIN, or security key.
- Follow the instructions on your device.”
If it’s a school or work account, it’s slightly different:
- “Sign in to your own Security Info
- Choose Add sign-in method.
- Select Passkey or Passkey in Microsoft Authenticator.
- Follow the instructions on your device.”
And then to use your passkey to sign in:
- “Choose Sign-in Options or Other Ways to Sign In.
- Choose Face, Fingerprint, PIN, or security key.
- Select your passkey from the list available.
- Your device will open a security window where you can use your face, fingerprint, PIN, or security key.”
All major platforms and services now offer passkey security. Set it up for each account as soon as you can. And while passwords likely remain in place, change your passwords at the same time and ensure each is unique and ideally suggested by a mainstream password manager. Also add the most secure form of 2FA you can. Then do not use your password to log in unless your passkey does not work. And if doing so, ensure you’re absolutely certain this is a legitimate sign-in page — certainly not a clicked link.
Andrew Shikiar, CEO of the FIDO Alliance driving passkey adoption, told me this is an exciting milestone as Microsoft takes passwords out of play for over a billion user accounts, who can now instead leverage user-friendly, phishing-resistant passkeys.”