Is the future without a password coming soon? In any case, this is the path that Google seems to be taking, which is taking a new step in publishing passkeys, also called access keys. Since May 3, 2023, billions of users of Google services can adopt this method of authentication via biometric sensors, a PIN code for a smartphone lock, or electronic keys for physical authentication, and completely abandon their passwords and verification codes to connect to their accounts, as the company proudly announces in its press release. To do this, you just need to go to this address, connect to your account using your usual identifiers, and then click “Use access keys”. To add an additional access key for another device, just click “+ Generate Security Key”, which will thus be stored on the device used.
Google Account passkeys are stored on any compatible device — iPhones with iOS 16 and Android devices with Android 9 or higher — and can be shared with other devices from within the operating system using services like iCloud or some password managers. To use someone else’s device to temporarily access their Google account, select the “Use a password from another device” option to create a single sign-on. Please note that you should not create an access key on a shared device, because its real owner will then be able to access the Google account whenever he wants. In the event of theft, loss or intrusion of the device, it is entirely possible to revoke the security keys in your account settings.
While it will take some time for passkey support to gain widespread adoption, this announcement makes significant progress in their adoption given the size of Google and the scale of implementation. For the time being, user accounts will continue to support existing login methods, such as passwords. It’s kind of a transitional period. Mountain View plans to promote this new technology in the coming months and begin encouraging its users to convert their credentials into passkeys.
The solution to replace passwords
But why are we seeking to create a future without a password? Quite simply because of their well known shortcomings. In fact, they are often very vulnerable, reused on multiple sites and accounts, and can be hacked after successful “phishing”. Solutions have been devised to overcome these vulnerabilities, such as two-factor authentication – which is not infallible – and password managers – which can be hacked – but the risks remain, especially at this time, as hackers are showing more and more imagination. It’s been a long time since the FIDO Alliance—a consortium of leading technology companies, government agencies, service providers, financial institutions, payment processors, and other industries, including Apple, Amazon, Microsoft, PayPal, and Google—worked on technology to eliminate the use of passwords: keys. the traffic!
After Apple announced its desire to introduce it with iOS 16 and MacOS, Google, in turn, allowed developers in October 2022 to start implementing this authentication technology on Android via the beta version of Google Play Services and the Canary version of Google Chrome. For Diego Zavala, Android product manager, and Christian Brand, account and security product manager, rolling out passkeys was a great step forward because they “can’t be reused, don’t leak server vulnerabilities, and protect users from phishing attacks,” they explain in a blog post. Android developers.
How does the passkey work?
With passkeys, the user chooses a device — logically their smartphone — as the main authentication system on websites and apps. When registering or changing the means of communication, the smartphone generates two encrypted keys: a public key that is sent to the service provider, and a private key that remains stored in the phone and allows the website or application to authenticate it. By unlocking the device via the smartphone’s authentication mechanism: PIN code, pattern, face recognition or fingerprint. For simplicity, instead of entering a password, just use the usual method of unlocking your main device. And voila! A smartphone passkey can also be used to connect to a site via another device, such as a laptop. All you have to do is scan the QR code displayed on the site with your smartphone. Ultimately, the goal is to allow passkeys to be used on different platforms—Windows, macOS, ChromeOS, Android, and iOS—so that, for example, a user of the Chrome browser on Windows can authenticate to a site using a passkey stored on the iPhone.
Concretely, on a daily basis, the use of passkeys does not change anything for the user. In fact, there are already standards for calling apps or websites that use one of their devices, such as confirming via smartphone that the connection is on our end or by pressing a specific number affixed to it. However, you must always log in at least once with a password to be able to activate this login function. This does not prevent you from regaining access to your account thanks to your identifiers, which can thus be hacked. But using passkeys also raises some drawbacks, especially when you want to trade in your Android smartphone for an iPhone — or vice versa — or when the device is stolen or broken. You then have to either manually copy the passkeys to the new phone – which is very tedious – or request new access tokens from all the services, to prove your identity every time… The fact remains that developers can test this simple and secure authentication on Google Chrome and Google services Play since November 2022 by creating an API that allows them to use passkeys on Android apps. In the meantime, it is best to create a secure password.
Sources: writing and the web
Is the future without a password coming soon? In any case, this is the path that Google seems to be taking, which is taking a new step in publishing passkeys, also called access keys. Since May 3, 2023, billions of users of Google services can adopt this method of authentication via biometric sensors, PIN code for lock …