Google has made passkeys the default option for users to access accounts, but will still allow people to continue using passwords for logging into accounts.
Unlike passwords, “passkeys let users sign in to apps and sites the same way they unlock their devices: with a fingerprint, a face scan, or a screen lock PIN. And, unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one-time codes,” according to Google. Passkeys were introduced by Google as a way to sign in to apps and websites in May. On Oct. 10, the tech giant announced that it has made passkeys the default sign-in option across Google accounts.
However, this doesn’t mean that Google is getting rid of passwords. The company admits that “new technologies take time to catch on” due to which “passwords may be around for a little while.”
As such, “people will still be given the option to use a password to sign in and may opt-out of passkeys by turning off ‘Skip password when possible.’”
The company claims passkeys are “40 percent faster than passwords—and rely on a type of cryptography that makes them more secure.”
“One of the most immediate benefits of passkeys is that they spare people the headache of remembering all those numbers and special characters in passwords,” the tech firm stated.
Once a passkey is created and registered, a user can seamlessly switch to a new device and immediately use it without having to re-enroll, according to Google. This is unlike traditional biometric authentication which requires it to be set up in each device.
So, a passkey created on a phone can be used while using laptops as long as the phone is near the laptop and the user approves the sign-in on the mobile.
For instance, a user may have visited a website, example.com, on their Android phone and created a passkey. If the user wishes to access example.com on their laptop, they can place the phone near the laptop and wait for the two devices to connect.
The user will then be prompted to approve the use of their passkey stored on the Android device. Once approved, they will be automatically signed into example.com on the laptop.
At this moment, a new passkey will be created on the laptop. So, the next time the user wants to log in to example.com on the laptop, the Android phone will not be required.
In addition to Google, a number of services are already using passkeys, including DocuSign, Shopify, PayPal, Yahoo! Japan, YouTube, eBay, Uber, and WhatsApp.
Boosted Security, Adoption Challenges
Passwords have long been susceptible to hacking and malware attacks. Even though technologies like password managers and multi-factor authentication add an extra layer of security, they still remain vulnerable.For instance, the text authentication code sent during multi-factor authentication could be intercepted by hackers. Meanwhile, password managers can also be breached.
Passkeys seek to resolve such security vulnerabilities. Passkeys are made of two parts. While one part is left on the servers of websites and apps that users use, the second is stored on the individual’s device, which acts as an authentication measure.
As passkeys are encrypted end-to-end, even companies creating the passkeys cannot see or alter them. Hackers would find it difficult to access accounts using passkeys.
Even if they succeed in breaching networks, hackers can only steal one part of the passkey. This would be useless as the hacker won’t be able to access the account without the other part stored on the user’s device. Physical access to the device would be required to login to the account.
“Passkeys protect users from phishing attacks. Passkeys work only on their registered websites and apps; a user cannot be tricked into authenticating on a deceptive site because the browser or OS handles verification,” according to Google.
In a post on Medium, security researcher Anthony Lawrence pointed out that passkeys won’t be leading to the demise of passwords anytime soon. He estimates it will take “decades” before every user will have the hardware and software necessary to move to passkeys.
There is also a major access issue with passkeys: they are synced via the operating system ecosystem and not the browser. For instance, if a user were to add a password to Chrome on their Windows laptop, they would be able to access it through an Apple device.
However, passkeys added to Chrome via Windows can only be accessed on devices using the Microsoft operating system. It would not be accessible through Apple devices.