Share this article on:
Google announced this week that it has rolled out a new way to log into a Google account that does away with passwords and even multifactor authentication.
Passkeys, Google believes, will ultimately replace passwords and usher in a new era of device security.
“Using passwords puts a lot of responsibility on users,” Google said of the new tech in a blog post. “Choosing strong passwords and remembering them across various accounts can be hard. In addition, even the most savvy users are often misled into giving them up during phishing attempts. 2SV (2FA/MFA) helps, but again puts strain on the user with additional, unwanted friction and still doesn’t fully protect against phishing attacks and targeted attacks like ‘SIM swaps’ for SMS verification.”
“Passkeys help address all these issues.”
Users can create a passkey for their Google account now and use it on both mobile devices and desktop machines. Once created, the passkey is stored on each device as a cryptographic private key. It cannot be written down or shared. Google then stores the matching public key on its own network.
When you sign into your account, you can use the biometrics on, for instance, your phone to unlock the device — the two keys are compared, and the sign-in succeeds. The private key can also be synced between devices, using services such as iCloud Keychain or Google Password, meaning that new devices can be set up easily and quickly, or a whole ecosystem of personal devices can be activated.
Passkeys can even be used to sign into other devices by scanning a QR code. A quick Bluetooth handshake then confirms that you and your unlocked device are nearby, and a one-time passkey is created for the session.
Google believes this can cut down on the threat of phishing sites harvesting credentials.
“The signature proves to us that the device is yours since it has the private key, that you were there to unlock it, and that you are actually trying to sign in to Google and not some intermediary phishing site,” Google said.
In case a device is lost, you can even revoke the passkey to be certain of your account’s security, though Google does say if your device supports remote wiping, it’s probably a good idea to consider it.
The underlying protocols of the functionality are based on those of the FIDO Alliance and W3C WebAuthn working group, both of which Google helped to create. They’re also the same as those used in Google’s security keys.
“Passkeys inherit many of their strong account protections from security keys, but with convenience that is suitable for everyone,” Google said.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.