“Microsoft, Apple and Google”
Google announced today that passkeys are now the default sign-in option across all personal Google Accounts across its services and platforms. After setting up a passkey linked to their device, users can sign into their Google accounts without entering a password.
…
Using passkeys significantly reduces the risk of data breaches … and protects against phishing attacks. … Passkeys are tied to specific devices, such as computers, tablets, and smartphones.
…
They work locally, offer a more secure and convenient alternative to traditional passwords, and enable the use of biometric sensors like fingerprint scanners and facial recognition, along with PINs, hardware security keys, or screen lock patterns. … Microsoft, Apple, and Google revealed their commitment to endorsing passkeys … in May 2022.

“Manages cryptographic keys”
Less than six months ago, Google announced that it was launching support for the password replacement known as “passkeys” for all personal accounts across its billions of users. Today, the company said it is going a step further.
…
Passwords have inherent security problems because they can be guessed and stolen. And since it’s so difficult to keep track of dozens or hundreds of passwords, users often reuse the same passwords on multiple accounts. … Passkeys are specifically designed to address these issues … by instead relying on a scheme that manages cryptographic keys stored on your devices.
…
There’s so much inertia on passwords around the world that even a player as big and influential as Google can’t force the issue overnight. But the company is clearly using its influence to steer users with gentle pressure that seems likely to continue mounting as passkeys gain broader momentum.

“Skip password when possible”
Previously, the setup process involved manually going to g.co/passkeys. Google will soon start showing prompts to create passkeys the “next time you sign in to your Google Account.” You have to create a Google Account passkey for each phone, tablet, laptop, and desktop, while passkeys obviates the need for Google’s 2-Step Verification.
…
Users can still just use their password over passkeys by turning off the “Skip password when possible” option. If a device is lost, you can revoke Google Account passkeys in settings.

Passkeys are “better” in the sense that it utilizes your personal devices’ security, and presumably you’d want those to work correctly first (fingerprint, face, PIN, etc.) … then use that to base your login to Google on. This is safer than simply giving control to a SMS recipient.

I still don’t get it. What’s the difference between a … PIN and a password?

The PIN wouldn’t be transmitted to the server but rather unlock a vault containing cryptographic keys on your device that then sign an intent to log in. So it’s passwordless for the website operator, and for the user the password is no longer enough to log in to a website, since you also need access to the vault.

What a passkey is: It’s an exchange between your device and the service you use. Your computer creates a random string of text and numbers called a private key, it then takes that key and computes another string called the public key, which the website keeps. Through math, you’re then authenticated.

I do cyber-security and compliance for a living. Want me to list all the incidents I’ve responded to with five and six digit financial losses that would have been prevented by the simple action of having MFA?

My favorite: The law firm that declined my company’s free MFA implementation, because—and I quote verbatim—”Our people are too smart to get phished.” Yeah, they got phished—and they lost $250,000 and several clients. … But hey, if you’d rather learn the lesson the hard way, Godspeed.

It seems with Passkeys things are evolving. I’m mostly taking a wait and see approach to see how it settles. I doubt any major players will allow anything unsafe, but we can’t assume they’ll all handle it the same way.

Recent Articles By Author