Google has announced what it calls the “beginning of the end” for passwords, and rolled out a new security mechanism that it says will eventually replace PWs in the coming years: the passkey. Google said, “We’ve taken a giant step forward in our journey towards a password-free future.” in a blog post Published Wed. “We’ve started rolling out support for passkeys across Google accounts on all major platforms. This means users can now take advantage of passkeys across Google services for a password-free sign-in experience.”
This is obviously a big change, and while Google says you’ll still be able to use passwords with its accounts for the foreseeable future, the passkeys themselves may take some getting used to. If you’d like to start setting up passkeys for your account, head over to the Google Blog for directions. But if you want to know more about how passkeys work, read below for more details.
What is a passkey?
A passkey is a unique encryption key associated with your device that can be used to unlock your account when combined with a personal ID. This key can also be shared with other devices via the cloud. The process is designed to be really simple: you’ll be able to sign in with a passkey using your face, fingerprint, or PIN. It would be like using one of these IDs to unlock your phone.
How long is passkey development?
Suffice it to say that they have been in development for quite some time. The passkey initiative was in the beginning announce A year ago, when Google, Apple and Microsoft teamed up with FIDO Alliance, an industry group pushing for alternative authentication methods, to develop the new tool. This is, of course, a big change for web security. Passwords were an integral part of authentication since before The Internet was invented but they have also historically suffered from regret Shortcomings—Devices that users can easily unlock for hacking and account hacking. For many years, Big Tech We talked about Kill the password and replace it with a more secure and convenient security mechanism. Now, it looks like Google is finally getting the ball rolling.
How do they really work?
Technically, passkeys use a combination of asymmetric encryption and biometric identifiers to ensure that the device that logs into your account belongs to you. Google will generate a private encryption key on your device that can be associated with a separate public key held by Google. To open the account, the passkey must also interact with a unique personal identifier that cannot be duplicated. For this, Google says you’ll be able to use a face scan, fingerprint, or your device’s local PIN. Once the private key deals with that identifier, it can be paired with the public key in Google’s possession, at which point the two create a unique digital signature, which will unlock your account. This means that someone will need to have your device if they want to access your account. Google He writes:
Unlike passwords, passkeys can only exist on your devices. It cannot be written down or given by mistake to a bad actor. When you use a passkey to sign in to your Google account, it proves to Google that you have access to your device and are able to unlock it.
What if I don’t want Google to have a copy of my fingerprint?
If you’re concerned about the potential privacy risks of handing over your face or fingerprint to Google, there’s good news: Both identifiers — and your PIN — are stored locally on your device, which means Google won’t have access to them. Google promises that biometric data is “never shared with Google or any third party – screen lock only unlocks the passkey locally”. Again, this means that anyone who doesn’t have access to your device shouldn’t be able to sign in like you, according to Google.
How are passkeys constructed?
Google says it has worked with the FIDO Alliance, as well as with Apple and Microsoft, to make sure passkeys work across platforms and devices. The company says it’s “built on protocols and standards that Google helped create in the FIDO Alliance and W3C WebAuthn working group,” which means that “passkey support works across all platforms and browsers that adopt these standards. You can store passkeys for your Google account at any compatible device or service.”
Why passkeys should be better than passwords
Passkeys have a number of security features over and above password protection but one of the most useful is that it will make phishing of your accounts impossible. As mentioned earlier, passkeys have to make this happen, so the only way an attacker can access your account is if they have access to (and can unlock) one of your devices. Likewise, brute force attacks will obviously become obsolete forms of attack, since passwords won’t be around to be guessed.
There are other obvious benefits to this security model. For one thing, recent corporate data breaches have taught us that weak password security is an obvious route to hacking. With passkeys, there will be no more “Password123” as a password. Also, since passkeys are unique to accounts and cannot be reused, this means that users won’t have to use the same password for twenty accounts, thus opening you up to multiple account takeovers. The passkey will take over the bulk of the account authentication responsibility from the user, where it currently resides.
However, passwords won’t be erased overnight, and there are sure to be some security complexities even with this new and improved login process. While Google describes its latest move as “the beginning of the end for passwords,” it also notes that passwords will continue to be available as a security mechanism for Google accounts for the foreseeable future.
(tags to translation) Computer Access Control