Warning: Thanks to AI you must use "phishing-resistant" passkeys to replace vulnerable passwords
GenAI can help attackers create phishing websites that look more legitimate than ever before.
Google and Microsoft have been warning users to stop using passwords to protect their accounts and use passkeys instead. What's a passkey, you ask? It is a digital credential that allows you entry into an app or website without typing in a username and password. Instead, you use the same methods that you employ to unlock your device. For example, with a passkey you might use:
- Biometrics: Fingerprint or facial recognition. Examples include Face ID, Touch ID, Android Fingerprint/Face Unlock, and Windows Hello.
- PIN/Pattern: This would use the same method you use to unlock your phone with a PIN code or a pattern.
Since no username or password is employed, the attackers can't use a stolen password to gain entry into your account. For example, if you're using a passkey, there are no two-factor authentication codes that can be stolen. It's phishing resistant. says one online publication that writes often about online attacks and how best to protect yourself. With new tools popping up for the attackers every day, you best believe that security remains important.
Leading American identity and access management (IAM) company Okta says that it has seen threat actors use vO, an AI tool, to develop phishing sites that impersonate legitimate sign-in web pages. Okta says that threat actors are now able to use AI to create a "functional phishing site" from a simple text prompt. "Vercel’s v0.dev is an AI-powered tool that allows users to create web interfaces using natural language prompts. Okta has observed this technology being used to build replicas of the legitimate sign-in pages of multiple brands, including an Okta customer."
"The observed activity confirms that today’s threat actors are actively experimenting with and weaponizing leading GenAI tools to streamline and enhance their phishing capabilities. The use of a platform like Vercel's v0.dev allows emerging threat actors to rapidly produce high-quality, deceptive phishing pages, increasing the speed and scale of their operations."
-Okta
Okta Threat Intelligence watched in real time as threat actors used the Vercel platform to host multiple phishing sites that pretended to be legitimate websites for well-known brands such as Microsoft 365 and some cryptocurrency firms. Using AI to create these bogus websites means that the old red flags, such as spelling and grammatical mistakes, can no longer be used to warn you of a phishing attack.
Even two-factor authentication (2FA) can't be counted on to protect you. The best defense is to add passkeys to any account where it is an option and, if possible, eliminate the use of passwords for those accounts that allow you to do so. If you must use a password on an account, make it unique, long, and back it up with non-SMS 2FA.
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed:
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts: