Hi all,
here is an explanation, not very technical of how passkeys technology
works. There is also an article I've copied at the end of this email.
This passkey technology is not related to Google, it's just they've been
part of the tech companies that developed it, along with Apple and
Microsoft - FIDO alliance. The technology uses public/private key pairs
where the private key is stored in the device you're gonna use to
authenticate using biometrics, hence the name "passkeys". Google said
that the private keys will also be saved on Google Password Manager in
the cloud. I am not sure what it's called at Apple.
Passkeys require you to own a smart device with biometrics (fingerprint,
face recognition) or a PC with a compatible fingerprint reader device or
a camera for face recognition.
Any website (not just Gmail) can adopt this way of login, and many will
do it in the future. The passwords will still be available as a way to
log in unless the service lets you disable this method to log in
completely.
The login process is much more complex than this and probably you'll ask
how the website knows what device to challenge for the private key. This
can happen in multiple ways. For example, if you use a Chrome that's
synced with the Google account that's on your phone, that's how the
request gets to your phone. Same when using Safari on a Mac. If the
browser is not synced, it will offer you other ways to link to your
device (QR code that you can scan, or use Windows Hello). Once the link
is established, the device will ask for biometrics, then there is a
cryptographic process happening using the private key in your device in
order for the website to know it's you.
I had the chance to try it and, overall, I think it's a good change and
will help us with visual impairment because you don't have to type a
password and the screen reader reads it aloud, mistype it, or forget it.
All the best,
Adrian
Now, a useful article:
Original article link [1]
What are passkeys?
For those of us who've spent a quarter century memorizing passwords --
reworking pet names, birthdays and sports teams into our sign-in
credentials -- it's easy to yearn for simpler times. Plus, filling our
heads with random numbers and special characters is an imperfect
defense. A decade of data breaches, hacks and phishing attempts have
transformed passwords from a person's first line of defense to their
primary security vulnerability.
To help, along with Apple and Microsoft, we announced last year that we
would support a new sign-in standard created by the FIDO (Fast IDentity
Online) Alliance that would allow people around the world to enter a
"passwordless future." This joint effort to create a safer alternative
to passwords is rooted in passkeys -- and starting today, you can sign
up for passkeys using the "skip password when possible" prompt in your
Google account.
Passkeys are a new feature on computers and smartphones that securely
log you into your accounts across the web by using biometrics like a
fingerprint or face scan, or a screen lock PIN. No more remembering
passwords for every one of your accounts on apps and websites --
passkeys take care of securely completing authentication with a service
on your behalf.
While we welcome a more secure future, as with any new technology we had
a few questions. To get answers, we sat down with Google Security expert
Christiaan Brand. Read on for an informative Q&A with Christiaan, which
has been edited for length and clarity.
In simple terms, what is a passkey?
A passkey is a FIDO credential stored on your computer or phone, and it
is used to unlock your online accounts. The passkey makes signing in
more secure. It works using public key cryptography and proof that you
own the credential is only shown to your online account when you unlock
your phone.
To sign into a website or app on your phone, you just unlock your phone
-- your account won't need a password anymore.
Or if you're trying to sign into a website on your computer, you just
need your phone nearby and you'll be prompted to unlock your phone --
which will then grant you access on your computer.
You talk about a "passwordless future" -- will passkeys really replace
passwords?
Yes, passkeys will replace passwords. It's even broader than that. I'd
say our vision for passkeys is to not only get rid of passwords, but
also eliminate all the Band-Aids the industry has designed to make up
for the fact that passwords are so vulnerable.
And by "Band-Aids" you mean challenge questions like "What was your high
school mascot?" or "What is your mother's maiden name?"
Yes, but even more sophisticated fixes like multi-factor authentication,
SMS messages, or authenticator apps. For example, we built the Google
Authenticator App to give people an extra layer of security on the web.
Passkeys will replace all of this.
We rarely hear the word "public" and "cryptography" in a single phrase
-- how does it actually work?
Public key cryptography has been around since the 1970s -- the web is
built on it. In the 1990s, Netscape developed encryption based on public
keys called Secure Sockets Layer -- or SSL -- as a means of
authenticating websites and ensuring user privacy. Secure websites all
have them and it's how you can identify whether a website is authentic
and what it claims to be.
So it authenticates websites -- but how does that authenticate people?
Passkeys are similar to SSL, more recently called TLS. But instead of
systems authenticating each other, a person has the corresponding
private key on their device. The cryptography portion of this is that
the website can confirm that the user's device -- which biometrics
confirm is in their possession -- has the passkey. Because of the
cryptography the server never actually learns what the user's passkey
actually is. That's the magic of public key cryptography. It can
validate you without knowing anything about you. It just confirms you
are who you say you are.
So if this cryptography has been around since the 1970s, why have we
been memorizing passwords since the 1990s?
Public key cryptography needs computing power. Up until about 2010, most
people weren't walking around with computers in their pockets.
That's what smartphones are. Pocket computers. And while smartphones
have been perceived as vulnerabilities, passkeys can transform them into
the biggest shift for online security in decades.
OK, but if you lose your phone, can the person who finds it use your
passkey?
No, because the phone is only part of it. In the past, logging onto a
secure website required two things: You just had to have a machine to
access the internet; and you needed to remember something, like your
password. That means that if someone got your password all they needed
was access to the internet -- from anywhere.
Passkeys are an evolution. They authenticate that you are in possession
of your device, and that you are the one accessing your account. It's
zero-trust in that it requires that something about you must be true.
That's more secure and simpler for people.
Your fingerprint, your face: the ability to unlock your device -- these
things and your device must be in your possession. If someone gets your
device, they can't do anything with your passkey. And if you lose your
old device containing your passkey, you can easily create a new passkey
on your new device.
And you can have more than one passkey on multiple devices?
Yes, you can have many passkeys and even have passkeys on devices shared
with your family. That's one of the big leaps. The cryptography means
passkeys -- however many you have, and wherever they are stored -- are
only useful to the user.
This seems like one of the first security advances that require people
to do less.
That's true -- and that's part of the zero-trust innovation. Since we
all have a lot on our minds, we can focus on other things while
simultaneously being more secure.
On innovation. They say -- I think -- that great innovations solve
familiar problems. At their best, innovation means the problems that
worry us will make our children yawn. What everyday security concerns do
passkeys solve that will make my children yawn?
Three things that fall into that category:
First, passwords getting stolen. We hear every week about some company
getting hacked and passwords are stolen. Since people often recycle
passwords across the web, that can give bad actors access to a lot of
different accounts -- email, banking, social media. Passkeys stop that.
Second, authentication is imperfect and time consuming. Authentication
means that even if someone gets ahold of your password, they would still
need another piece of data. It's why we built the Google Authenticator
App. The app helped mitigate data breaches. But that still means a
person has work to do -- and it puts the burden on the individual user.
It's time consuming. The user shouldn't be so alone in security and
authentication -- and for a couple of decades they largely have been.
Third, kids will look back on "phishing attempts" as amateur theatrics.
Phishing is when someone sends you an email, it looks official, and you
click on the link and you start typing your credentials. Phishing
attempts have grown more sophisticated and sometimes people will not
only be tricked into giving their username and password, but
authentication info and other personal details. Plus, phishing also puts
the burden on users to determine how credible an email or website looks.
That's not very technical. Passkeys can solve the phishing problem.
One question a lot of people will have -- and that concerns biometrics
like fingerprints and facial recognition. Do you think people should be
concerned about biometrics working with their device to empower
passkeys?
None of our modern devices, laptops, smartphones or desktops -- even
those that use biometrics -- can package biometric info and send it to
the cloud. Modern smartphones aren't built to share biometrics. It's
always local and on your device. Even if your device gets stolen, the
thief won't have your biometrics to activate the passkey.
We know that new technology takes time to earn trust and achieve
widespread adoption. We also live in an age when lots of new digital
novelties sort of masquerade as breathtaking innovation. How can people
be sure passkeys are worth their time?
They can set up passkeys next time they're prompted by a service. Spend
a little time, and then save a lot of time and mental energy after that
-- and be a lot more secure.
Links:
------
[1]
https://blog.google/inside-google/googlers/ask-a-techspert/how-passkeys-work/#:~:text=The%20passkey%20makes%20signing%20in,t%20need%20a%20password%20anymore.