PASSWORD-FREE LIFE? IS IT REASONABLE?

The short answer is yes, but it is still in its infancy and not all devices support it yet.

From 3 May 2023, you will be able to create passkeys for your personal Google Account. This is part of Google’s “Advenced Protection Program”. Google will not ask for a password or two-step authentication when you sign in. Such passkeys can be a more convenient and secure alternative to passwords. They work on all major platforms and browsers and allow users to log into their computer or mobile device using their fingerprint, facial recognition or PIN.

WHY IS IT MORE SECURE THAN A PASSWORD?

Passkeys, unlike passwords, are stored only on your own devices. This means that passkeys can protect against phishing attacks, password reuse or data leaks. This is stronger protection than most two-factor methods offer today, so you can skip two-factor authentication when using a passkey. Existing login methods, such as passwords, will still work if you need them, for example when using devices that do not yet support passkeys. Passkeys are still new, and it will take time before they will work on all devices. If you want to sign in on a new device for the first time, or temporarily use someone else’s device, you can use the passkey stored on your phone to do this. If you lose a device that has a passkey for your Google Account and you think someone else can unlock it, you can revoke the passkey immediately in your account settings.

BUT HOW DOES IT WORK?

The main component of a passkey is a cryptographic private key that is stored on your device. When you create one, the associated public key is uploaded to the Google system. When you sign in, Google will prompt your device to sign a unique call with the private key. The device will only do this if you approve it, it will then verify the signature with your public key. Your device also ensures that the signature is only shared across Google websites and apps. The signature proves to Google that the device is yours because you have the private key, that you were present when you unlocked it, and that you really want to sign in to Google. To do this, you only share the public key and the signature with Google. Neither of these contain any information about your biometric data. Since each passkey is only valid for a single account, there is no risk of reusing the same one for other services, so password reuse can be ruled out.

WHY CAN’T LOGIN INFORMATION BE OBTAINED REMOTELY?

When you want to log in for the first time on another device using the passkey stored in your phone, the first step is to scan the QR code displayed on the other device. The device then checks that your phone is nearby by sending a small, anonymous Bluetooth message, and then establishes an end-to-end encrypted connection over the internet with the phone. The phone uses this connection to send the requested one-time passkey signature, which requires your approval and a biometric or screen lock step on the phone. Neither the passkey itself nor the screen lock information is sent to the new device. Bluetooth proximity control ensures that remote attackers cannot obtain any information.

WHY TRUST IT?

Passkeys are based on the protocols and standards established by the FIDO Alliance and the W3C WebAuthn Working Group. This means that passkey support works on all platforms and browsers that accept these standards. These same standards and protocols provide the security keys that provide strong protection. Passkeys inherit many strong account protection measures from security keys, but are convenient for everyone.

It’s still a new process, and it has technical limitations because not all devices can detect so-called Bluetotth Low Enegry, but it’s exciting to see how Google is trying to replace it.

Sources:

https://landing.google.com/advancedprotection/

https://security.googleblog.com/2023/05/so-long-passwords-thanks-for-all-phish.html?m=1