Protect Identity

Protect Your Identity with the Right Credentials!

Learn how passwords, passcodes, passkeys, and biometrics each play a role in keeping your accounts secure. Each method helps verify that you are the one accessing your accounts, devices, or data. However, they work differently, and some are stronger than others. Use this guide to better understand your authentication options and how to use them safely.

Using Passwords and Password Managers

Create Your 1Password Account Tips on Creating Strong Passwords

Passwords

What Are They?

A password is a secret string of characters you type to log into websites, email, apps, or systems.

Best practices:

  • Use long, complex passphrases (e.g. GreenCandleRiver93!), which include letters, numbers and symbols, ideally 12* or more characters.
  • Avoid common words, names, or patterns like Password123.
  • Never reuse passwords across services.
  • Store passwords in a password manager like 1Password (available to eligible Harvard community members).
  • Enable Multi-Factor (preferably biometrics or passkeys) on all sensitive systems (email, financial, social media, etc.)

*Longer passwords are much harder for hackers to guess. Using a passphrase with eighteen or more characters can significantly improve your security.

 

University Password Standard:

Keep your passwords private and don't share them with anyone. Support services will never ask you for your password by phone or by email.

Password Managers

What Are They?

The strongest passwords are created by password managers, software that generates and keeps track of complex and unique passwords for all of your accounts. All you have to remember is the password to the password manager. When choosing a password manager, choose one that supports multi-factor authentication.

Using the same password for all your accounts is very risky. 

If your account for any service is compromised, all of your accounts are put at risk. Use a unique password for every account.

All active faculty, staff, and students are eligible for a 1Password account.

If you need to share business accounts within your team.

Learn how to create new vaults to organize your team’s information and give team members access to items they need.

Using Passkeys and Biometrics

Set Up Okta Fastpass

Passkeys

What Are They?

A passkey is a modern, passwordless way to sign in securely using cryptographic keys stored on your device. Passkeys often work in combination with biometrics or a device unlock method.

Why They Are Better:

  • Phishing-resistant: No one can trick you into giving up your passkey.
  • Easier to use: Just use your face, fingerprint, or device PIN.
  • Safer by design: Each passkey is unique to the service and your device.

Best Practices:

  • Enable biometric authentication to unlock your passkey securely.
  • Use a cloud backup (like iCloud Keychain, 1Password, or Google Password Manager) so you do not lose access if you change devices.
  • Do not share devices with others if they're storing your passkeys.

 

Note: Passkeys offer strong, phishing-resistant authentication. When combined with a device PIN or biometric verification, they also provide multi-factor protection even without a traditional password.

Biometrics

What Are They?

Biometrics use physical characteristics like your fingerprint or facial features to verify your identity.

Common Uses:

  • Unlocking phones and laptops
  • Approving passkey based logins
  • Verifying identity for apps or payments

Best Practices:

  • Always enable biometrics on devices that support them.
  • Keep your device updated with the latest software and security patches.
  • Make sure you also have a secure backup method (like a strong passcode or password) in case biometric recognition fails.

Privacy Note: Biometric data is stored locally on your device and it is not uploaded or shared with service providers.

Using Passcodes & PINs

Passcodes and PINs

What Are They?

A passcode or "PIN" is typically a short numeric or alphanumeric code used to unlock a phone, laptop, or secure app.

Why PINs are Safer:

  • Device-bound: Your PIN only works on your physical hardware, never over the web.
  • Phishing-resistant: It cannot be intercepted, leaked, or reused by a remote hacker.
  • Hardware-locked: It unlocks a secure chip that never leaves your specific device.

Why Guessing is Impractical:

  • Strict lockouts: Devices automatically block access after a few failed attempts.
  • Anti-hammering: Built-in hardware delays prevent automated "brute force" guessing.
  • Data encryption: Without the PIN, the information on the device remains unreadable.

Best Practices:

  • Lengthen your code: Use 6 digits and avoid simple patterns like "123456."
  • Pair with biometrics: Use Face ID or fingerprints for daily speed and the PIN as a secure backup.
  • Keep it private: Never share your device PIN or store it in plain sight.

Use Multi-Factor Authentication (MFA) Whenever Possible

No matter what type of credentials you use, adding MFA (something you know + something you have or are) is one of the most effective ways to prevent unauthorized access.

Examples of MFA:

  • Passkey + Face ID (strongest)
  • Password + app-based push notification
  • Password + code sent to your phone (weakest)

In most cases, HarvardKey logins require MFA by default. Use Okta FastPass to manage your second factor securely and conveniently.

MFA: Harvard Services MFA: Non-Harvard Services