The Security Rabbit Hole Has No Bottom (Premium)

You can add the term “go down a rabbit hole” to the list of those I use regularly and correctly while not having a full meaning of its origin. So I looked it up, and in this case, my understanding that it originated with Lewis Carroll’s Alice’s Adventures in Wonderland was correct. In the opening lines of the first chapter of that book, the title character follows a White Rabbit into his “rabbit-hole,” as Carroll wrote it, falls for a fantastical amount of time down a very deep well, and lands in what Dictionary.com describes as “the strange, surreal, and nonsensical world of Wonderland.”

“A rabbit hole is a metaphor for something that transports someone into a wonderfully (or troublingly) surreal state or situation,” that site explains. “On the internet, a rabbit hole frequently refers to an extremely engrossing and time-consuming topic.”

Perfect.

My experience researching and experimenting with online account security over the past month and a half has felt very much like that, a time-consuming topic that often feels surreal. Like many of you, I’ve long understood the basics of account security. And like many of you, I hope, I was delighted to confirm that I correctly configured my most important online accounts—those related to identity, e-commerce, banking, and the like—in secure fashions.

But like many of you, I’m positive, I also discovered many of my online accounts were out-of-date, with old and now incorrect verification methods, phone numbers, addresses, and other personal information. And in examining my accounts, I spent a bit of time getting them up-to-date. Which they will remain until one day when they are not.

And that’s just one of the issues with security, a complicated and frustrating topic that requires expertise and experience that I, frankly, did not have. Thanks to my efforts since mid-December, however, I’m getting there. And while I still worry about offering any of you misguided advice that, when implemented, might prove dangerous, I’m putting in the hours and getting a bit more confident.

These things take a while. I’ve been writing books about Windows for almost 30 years and ever since Microsoft shifted from local account to online account sign-ins with Windows 8, I’ve felt a growing need to more fully explain what we now call the Microsoft account (MSA), in particular. I took baby steps along the way with introductory chapters of various kinds in different books, but I’ve long felt this topic deserved a small book of its own, something free or extremely inexpensive that I could point readers at as needed.

This need came to a head in December. I had collected a list of new features in Windows 11 version 23H2 and ordered them roughly in order of importance so that I could update the Windows 11 Field Guide to address the many changes in this release. And then I started writing the updates. As I noted in an early January update about the book, the result so far has been over 100 pages of new content and three new chapters. Among them is a chapter I finally called Passkeys and Security Keys after several revisions.

This was the beginning of my most recent rabbit hole, where I worked backward from the new feature in 23H2 that inspired this work—a pretty basic passkey management interface in the Settings app—to understand how and why we got there. It quickly became obvious that I would need some foundational material about securing your MSA because that’s where it all starts. This meant I’d need more new content for the book than I had planned on; in the end, I added another new chapter, Secure Your Microsoft Account, of almost 4,000 words, all new, and almost 20 new pages for the PDF version of the book.

Of course, not everyone owns the book or is interested in paying for it. And so I distilled my learnings on that topic into Tip: Properly Secure Your Microsoft Account so anyone could accomplish this important task. And I had some fun with the history of the underlying technologies behind passkeys—which you may have forgotten was the original point of this rabbit hole in the first place—after my ADHD-addled brain made some fun connections between the ghost of Security Present, if you will, and the ghost of Microsoft Past. The result was The Secret Lives of Passkeys (Premium). Which is worth reading, if I do say so myself.

“The new passkey ‘management’ functionality in Windows 11 version 23H2 is pretty lame,” I wrote. “But it’s also just a side effect of the culmination of a 20+ year journey to bring passwordless to the masses.”

And with that, I published the Passkeys and Security Keys chapter I first envisioned in, what, September? And then a corresponding free post, Tip: Use Passkeys With Your Microsoft Account, for those who don’t own the book.

This work had two direct impacts. First, I confused the living hell out of a lot of you. And worse, I wasn’t done falling down my rabbit hole: I continued my examination of online account security by trying to figure out how or whether it was possible to use passkeys—again, the original point of this rabbit hole in the first place—to sign into password managers. And I further complicated matters by focusing largely on the password manager I use, the capable but complex Bitwarden.

This one broke my brain. I discovered that while all major password managers have pledged to support passkey sign-in, none have yet delivered on that promise. and most still require a master password, which seemed anachronistic to me in this age of more sophisticated authentication techniques. So when that fallen angel of password managers, LastPass, announced a change to its master password requirements, one that forces its customers to use longer master passwords, I lost it. And I turned an otherwise bland news story into my personal soapbox.

“That’s ridiculous,” I started.

“The Achilles Heel of all password managers is that they still rely on users having a master password to protect their personal data. Here we are in 2023, configuring as many accounts as possible to be passwordless with technologies like two-step verification and passkeys, and yet somehow the vaults that store our account passwords, credit card numbers, and other important data still use … a password? This makes no sense to me: Password managers should support and require the same two-step verification techniques that we use to protect our other online accounts, and they should give us the option to go completely passwordless by not even using a master password in the first place. Which is easily hacked no matter the length.”

At that time, I was hoping to publish something about password managers, but I was still struggling to understand why I couldn’t use Windows Hello to consistently authenticate myself and unlock Bitwarden when biometric authentication against this service was so seamless on mobile. So it was just bad timing. But after experimenting with a passkey-friendly beta version of 1Password, a password manager that is widely acclaimed for being much easier to use than Bitwarden, I ran into even more problems. And then I figured it out. Finally.

The problem wasn’t me or my lack of security expertise. The problem was—and still is—Bitwarden. And as I wrote in the resulting article, Passwordless Password Manager Problems (Premium), it was my friend and Windows Weekly cohost Richard Campbell who—not for the first time—provided the clarity I needed at exactly the right time. The problem, he said, was that Bitwarden, which he also uses, is made by people who are security experts, not user experience experts.

This snapped me out of an all-too-familiar funk that’s caused by one of my worst personal failings: I doubt myself too easily. And so, with Richard’s words burning in my brain, I tried for perhaps the 100th time to configure passwordless, Windows Hello-based authentication in the Bitwarden web browser extension. And it finally worked. Not every time: As I explain in that article, it usually fails several times before it works. The trick, I wrote, was to keep trying. Just repeat the steps and again and again until it works.

To be clear, this is Bitwarden’s fault. And this has nothing to do with passkeys: Windows Hello authentication is passwordless, but in this context, it’s not directly related to passkeys, a technology Bitwarden has still not yet implemented as a sign-in for its own service.

That was over two weeks ago. Since then, I slowly configured Bitwarden for Windows Hello authentication consistently across multiple PCs, always failing repeatedly before it worked. (Mobile devices are another story: It’s easy to configure Bitwarden and other password managers for biometric authentication on mobile. I feel like this should work identically in Windows, but it doesn’t.) But other, related articles I’ve planned for web browser security and privacy, securely configuring Amazon, Apple, and Google accounts, and using passkeys with those accounts, have languished.

During this time, I also spoke with a few security experts, both of whom confirmed my findings and had the same frustrations. And I’ve been casually bringing up the account security topic with friends, most of whom are not particularly technical, mostly to ensure that they were properly protected, but also to get a feel for where the mainstream user base is with this stuff. It’s not great.

But here’s what really bothers me: I’ve been approaching this topic incorrectly the whole time. The whole damn time.

I can only blame myself: Yes, security is a complex topic. But it’s a solvable problem, and this is a topic that’s too important to screw up. Unfortunately, I was approaching this from the wrong direction the entire time, and that all dates back to my original list of new 23H2 topics for the book. I approached this with the assumption that passkeys are literally the future and that the correct and future-proof way to secure online accounts was passkeys.

This is incorrect.

The right way to secure online accounts is to make them passwordless when possible. This isn’t about a single technology, like passkeys, it’s something that can be and is implemented many different ways. Additional verification methods tied to another email address or your phone number are passwordless. Authenticator app prompts are passwordless. Security keys are passwordless. And, yes, passkeys are also passwordless. You will mix and match.

As one security expert told me, passkeys do have one major advantage over other passwordless authentication methods: They’re resistant (if not immune, to my mind) to phishing attacks, which use our human nature against us and are thus more about social engineering than hacking. But passkeys are also complex and implemented inconsistently across the computing platforms, apps, and online services that support them. Some get it right—GitHub’s implementation is particularly good, in my opinion—and some do not. OK, most do not.

In an ideal world, we would have consistent passkey experiences across all of the platforms, apps, and services we use. But that world does not exist and probably never will. So in the meantime, we need to deal with the messy reality that does exist. And that means doing what we can do to secure our online accounts, with the understanding that what we can do will vary from account to account. Some experiences will be better than others.

As I got comfortable with this more nuanced view, I started to think about an “online account security checklist,” a pithy way to describe the steps we’ll take, and the options we’ll see, as we examine our accounts and shore up their defenses as needed. I wanted this checklist to be both accurate and understandable, even to mainstream readers, and something that would enable a dream configuration that is both secure and convenient, based on the features and functionality any given account provided.

And that may be impossible. Security, alas, is a complex topic. But I do have some key takeaways.

• Online account security is difficult, but too important to ignore
• You have to balance security with convenience or you’ll never be successful: Authenticator apps, passkeys, and security keys are too complex for most people
• The goal is to enable passwordless authentication with as many online accounts as possible: Any form of passwordless is better than usernames/passwords

Beyond that, I have some additional opinions that I’m still working through.

• Two-step verification (or multi-factor authentication) methods offer the “best” form of passwordless in the sense that they balance security and convenience. And for most people, that means becoming comfortable using an authenticator app on your phones, and with as many of your accounts that support it

• You should configure a limited set of alternate sign-in and verification methods for every account that supports this, and each should be a method (phone number, email address, etc.) that you control; phone numbers and accounts controlled by a workplace can be taken away at any time and could prevent you from accessing a recovering an account
• Use a single password manager and configure all of your desktop web browsers and mobile devices to use only that password manager for auto-fill. Any password manager is better than no password manager or multiple password managers
• Because removing the data from previous password managers is likely impossible, you should leverage the password manager you do use to help you change the passwords for all of your active accounts, ideally using complex strings of characters you cannot and will never remember; your password manager will handle that. I know, no one wants to do this
• The good news? You only have to do this work once, but you will need to occasionally review the security and configuration of your online accounts as addresses, phone numbers, and other personal data changes. Your password manager will automate your ongoing protection, so you only need to perform this review once or twice per year at most

There’s so much more to discuss. But here’s one last story.

Something happened just today, and this was the impetus to finally finish and publish this article that I started writing 10 days ago: I reset a PC because I want to bring it to Mexico City on our coming trip, and after it came back up, I went through the process I outlined last year in Roll Your Own Windows Time Machine (Premium), where among other things, I use a winget script to automate the installation of the set of apps I use on every PC. What I can’t automate is the configuration of those apps. And so I spent about 30 minutes signing into and configuring each of them, as always.

When I got to Bitwarden, which requires a desktop app install in addition to the browser extension to use Windows Hello authentication, I again encountered the issue I documented in Passwordless Password Manager Problems (Premium), where it would fail again and again before finally working. Except that this time, it never worked. Getting more and more frustrated as the minutes ticked by and I wasn’t getting any work done, I finally had enough. And I finally did what I probably should have done weeks ago: I switched to a different password manager, Dashlane, because it now supports passwordless accounts that don’t even have a master password.

I’m not endorsing Dashlane, not yet anyway. But it works. It worked immediately, logically, and without drama. It worked the way I expected it to, on both mobile and the PC. And whether it keeps working or not, I’ll write more about that soon.

Because it never ends.