Google has announced what it calls the “beginning of the end” for passwords, rolling out a new security mechanism that it says will ultimately come to replace PWs in the years to come: the passkey. “We’ve taken a giant step forward on the journey towards a passwordless future,” Google said in a blog post published Wednesday. “We’ve begun rolling out support for passkeys across Google Accounts on all major platforms. This means users can now take advantage of passkeys across Google Services for a passwordless sign-in experience.”
This is obviously a huge change and, while Google says you’ll still be able to use passwords with its accounts for the foreseeable future, passkeys themselves may take some getting used to. If you want to start setting up passkeys for your account, head to Google’s blog for instructions. But if you want to know more about how passkeys work, read on below for more details.
What is a Passkey?
A passkey is a unique cryptographic key tied to your device that, when combined with a personal identifier, can be used to unlock your account. That key can also be shared with other devices via the Cloud. The process has been designed to be really, really simple: you’ll be able to login with a passkey using your face, a fingerprint, or a PIN. It’ll be a lot like using one of those identifiers to unlock your phone.
How Long Have Passkeys Been in Development?
Suffice it to say that they’ve been in development for quite some time. The passkey initiative was initially announced a year ago, when Google, Apple, and Microsoft teamed up with the FIDO Alliance, an industry group that pushes for alternative authentication methods, to develop the new tool. This is, of course, a big change for web security. Passwords have been integral to authentication since before the internet was invented but they’ve also historically suffered from regrettable deficiencies—ones that can easily open up users to hacking and account compromise. For many years, Big Tech has talked about killing the password and replacing it with a more secure, convenient security mechanism. Now, Google seems to be finally getting the ball rolling.
How Do They Really Work?
In technical terms, passkeys use a mixture of asymmetric encryption and biometric identifiers to ensure that the device logging into your account belongs to you. Google will generate a private cryptographic key on your device that can be paired with a separate public key that Google is in possession of. For the account to be unlocked, the passkey must also interact with a distinct personal identifier that cannot be replicated. For this, Google says you’ll be able to use a face scan, a fingerprint, or a PIN that is local to your device. Once the private key engages with that identifier it can then be paired with the public key in Google’s possession, at which point the two create a unique digital signature, which will unlock your account. This means that a person would need to be in possession of your device if they wanted to access your account. Google writes:
Unlike passwords, passkeys can only exist on your devices. They cannot be written down or accidentally given to a bad actor. When you use a passkey to sign in to your Google Account, it proves to Google that you have access to your device and are able to unlock it.
What if I don’t want Google to have a copy of my fingerprint?
If you’re worried about the potential privacy hazard of surrendering your face or fingerprint to Google, good news: both of those identifiers—and the PIN—are stored locally on your device, meaning that Google won’t have access to them. Google promises that biometric data “is never shared with Google or any other third party - the screen lock only unlocks the passkey locally.” Again, this means that anyone without access to your device shouldn’t be able to login as you, according to Google.
How were passkeys built?
Google says that it worked together with the FIDO Alliance, as well as with Apple and Microsoft, to make sure that passkeys work across platforms and devices. They were “built on the protocols and standards Google helped create in the FIDO Alliance and W3C WebAuthn working group,” the company says, meaning that “passkey support works across all platforms and browsers that adopt these standards. You can store the passkeys for your Google Account on any compatible device or service.”
Why Passkeys Should Be Better Than Passwords
Passkeys have a number of security benefits that outstrip the protections of passwords but one of the most beneficial is that they will make phishing your accounts next to impossible. As previously stated, passkeys should make it so the only way an attacker can access your account is if they have access to (and can unlock) one of your devices. Similarly, brute force attacks will obviously become antiquated forms of attack, since passwords won’t be around to guess.
There are other obvious benefits to this security model. For one thing, recent corporate data breaches have taught us that weak password security are an obvious route to getting hacked. With passkeys, there will be no more “Password123" as a password. Also, since passkeys are unique to accounts and can’t be re-used, that means there users won’t have to use the same password for twenty accounts, thus opening you up to a multitude of account takeovers. The passkey will take the majority of the responsibility for account authentication off the user, where it currently resides.
That said, passwords won’t be wiped out overnight and there are sure to be some security complications even with this new and improved login process. While Google has called its recent move the “beginning of the end for passwords,” it also notes that passwords will continue to be available as a security mechanism for Google Accounts for the foreseeable future.