Hear, here! Well done, Adrian!
All the best,
Cearbhall
m +353 (0)833323487 e: cearbhall.omeadhra@xxxxxxx
From: fb-exchange-bounce@xxxxxxxxxxxxx <fb-exchange-bounce@xxxxxxxxxxxxx> On
Behalf Of Kenneth Walsh
Sent: Saturday, October 21, 2023 5:10 PM
To: fb-exchange@xxxxxxxxxxxxx
Subject: [fb-exchange] Re: What are passkeys and how they work
Adrian
A fantastic explanation.
All The Best,
Ken
On 21 Oct 2023, at 14:15, Adrian Talpa <hello@xxxxxxxxxxxxxx
<mailto:hello@xxxxxxxxxxxxxx> > wrote:
Hi all,
here is an explanation, not very technical of how passkeys technology works.
There is also an article I've copied at the end of this email. This passkey
technology is not related to Google, it's just they've been part of the tech
companies that developed it, along with Apple and Microsoft - FIDO alliance.
The technology uses public/private key pairs where the private key is stored in
the device you're gonna use to authenticate using biometrics, hence the name
"passkeys". Google said that the private keys will also be saved on Google
Password Manager in the cloud. I am not sure what it's called at Apple.
Passkeys require you to own a smart device with biometrics (fingerprint, face
recognition) or a PC with a compatible fingerprint reader device or a camera
for face recognition.
Any website (not just Gmail) can adopt this way of login, and many will do it
in the future. The passwords will still be available as a way to log in unless
the service lets you disable this method to log in completely.
The login process is much more complex than this and probably you'll ask how
the website knows what device to challenge for the private key. This can happen
in multiple ways. For example, if you use a Chrome that's synced with the
Google account that's on your phone, that's how the request gets to your phone.
Same when using Safari on a Mac. If the browser is not synced, it will offer
you other ways to link to your device (QR code that you can scan, or use
Windows Hello). Once the link is established, the device will ask for
biometrics, then there is a cryptographic process happening using the private
key in your device in order for the website to know it's you.
I had the chance to try it and, overall, I think it's a good change and will
help us with visual impairment because you don't have to type a password and
the screen reader reads it aloud, mistype it, or forget it.
All the best,
Adrian
Now, a useful article:
Original article link
<https://blog.google/inside-google/googlers/ask-a-techspert/how-passkeys-work/#:~:text=The%20passkey%20makes%20signing%20in,t%20need%20a%20password%20anymore.>
What are passkeys?
For those of us who’ve spent a quarter century memorizing passwords — reworking
pet names, birthdays and sports teams into our sign-in credentials — it’s easy
to yearn for simpler times. Plus, filling our heads with random numbers and
special characters is an imperfect defense. A decade of data breaches, hacks
and phishing attempts have transformed passwords from a person’s first line of
defense to their primary security vulnerability.
To help, along with Apple and Microsoft, we announced last year that we would
support a new sign-in standard created by the FIDO (Fast IDentity Online)
Alliance that would allow people around the world to enter a “passwordless
future.” This joint effort to create a safer alternative to passwords is rooted
in passkeys — and starting today, you can sign up for passkeys using the "skip
password when possible" prompt in your Google account.
Passkeys are a new feature on computers and smartphones that securely log you
into your accounts across the web by using biometrics like a fingerprint or
face scan, or a screen lock PIN. No more remembering passwords for every one of
your accounts on apps and websites — passkeys take care of securely completing
authentication with a service on your behalf.
While we welcome a more secure future, as with any new technology we had a few
questions. To get answers, we sat down with Google Security expert Christiaan
Brand. Read on for an informative Q&A with Christiaan, which has been edited
for length and clarity.
In simple terms, what is a passkey?
A passkey is a FIDO credential stored on your computer or phone, and it is used
to unlock your online accounts. The passkey makes signing in more secure. It
works using public key cryptography and proof that you own the credential is
only shown to your online account when you unlock your phone.
To sign into a website or app on your phone, you just unlock your phone — your
account won’t need a password anymore.
Or if you’re trying to sign into a website on your computer, you just need your
phone nearby and you’ll be prompted to unlock your phone — which will then
grant you access on your computer.
You talk about a “passwordless future” — will passkeys really replace passwords?
Yes, passkeys will replace passwords. It’s even broader than that. I’d say our
vision for passkeys is to not only get rid of passwords, but also eliminate all
the Band-Aids the industry has designed to make up for the fact that passwords
are so vulnerable.
And by “Band-Aids” you mean challenge questions like “What was your high school
mascot?” or “What is your mother’s maiden name?”
Yes, but even more sophisticated fixes like multi-factor authentication, SMS
messages, or authenticator apps. For example, we built the Google Authenticator
App to give people an extra layer of security on the web. Passkeys will replace
all of this.
We rarely hear the word “public” and “cryptography” in a single phrase — how
does it actually work?
Public key cryptography has been around since the 1970s — the web is built on
it. In the 1990s, Netscape developed encryption based on public keys called
Secure Sockets Layer — or SSL — as a means of authenticating websites and
ensuring user privacy. Secure websites all have them and it’s how you can
identify whether a website is authentic and what it claims to be.
So it authenticates websites — but how does that authenticate people?
Passkeys are similar to SSL, more recently called TLS. But instead of systems
authenticating each other, a person has the corresponding private key on their
device. The cryptography portion of this is that the website can confirm that
the user’s device — which biometrics confirm is in their possession — has the
passkey. Because of the cryptography the server never actually learns what the
user’s passkey actually is. That’s the magic of public key cryptography. It can
validate you without knowing anything about you. It just confirms you are who
you say you are.
So if this cryptography has been around since the 1970s, why have we been
memorizing passwords since the 1990s?
Public key cryptography needs computing power. Up until about 2010, most people
weren’t walking around with computers in their pockets.
That’s what smartphones are. Pocket computers. And while smartphones have been
perceived as vulnerabilities, passkeys can transform them into the biggest
shift for online security in decades.
OK, but if you lose your phone, can the person who finds it use your passkey?
No, because the phone is only part of it. In the past, logging onto a secure
website required two things: You just had to have a machine to access the
internet; and you needed to remember something, like your password. That means
that if someone got your password all they needed was access to the internet —
from anywhere.
Passkeys are an evolution. They authenticate that you are in possession of your
device, and that you are the one accessing your account. It’s zero-trust in
that it requires that something about you must be true. That’s more secure and
simpler for people.
Your fingerprint, your face: the ability to unlock your device — these things
and your device must be in your possession. If someone gets your device, they
can’t do anything with your passkey. And if you lose your old device containing
your passkey, you can easily create a new passkey on your new device.
And you can have more than one passkey on multiple devices?
Yes, you can have many passkeys and even have passkeys on devices shared with
your family. That’s one of the big leaps. The cryptography means passkeys —
however many you have, and wherever they are stored — are only useful to the
user.
This seems like one of the first security advances that require people to do
less.
That’s true — and that’s part of the zero-trust innovation. Since we all have a
lot on our minds, we can focus on other things while simultaneously being more
secure.
On innovation. They say — I think — that great innovations solve familiar
problems. At their best, innovation means the problems that worry us will make
our children yawn. What everyday security concerns do passkeys solve that will
make my children yawn?
Three things that fall into that category:
First, passwords getting stolen. We hear every week about some company getting
hacked and passwords are stolen. Since people often recycle passwords across
the web, that can give bad actors access to a lot of different accounts —
email, banking, social media. Passkeys stop that.
Second, authentication is imperfect and time consuming. Authentication means
that even if someone gets ahold of your password, they would still need another
piece of data. It’s why we built the Google Authenticator App. The app helped
mitigate data breaches. But that still means a person has work to do — and it
puts the burden on the individual user. It’s time consuming. The user shouldn’t
be so alone in security and authentication — and for a couple of decades they
largely have been.
Third, kids will look back on “phishing attempts” as amateur theatrics.
Phishing is when someone sends you an email, it looks official, and you click
on the link and you start typing your credentials. Phishing attempts have grown
more sophisticated and sometimes people will not only be tricked into giving
their username and password, but authentication info and other personal
details. Plus, phishing also puts the burden on users to determine how credible
an email or website looks. That’s not very technical. Passkeys can solve the
phishing problem.
One question a lot of people will have — and that concerns biometrics like
fingerprints and facial recognition. Do you think people should be concerned
about biometrics working with their device to empower passkeys?
None of our modern devices, laptops, smartphones or desktops — even those that
use biometrics — can package biometric info and send it to the cloud. Modern
smartphones aren’t built to share biometrics. It’s always local and on your
device. Even if your device gets stolen, the thief won’t have your biometrics
to activate the passkey.
We know that new technology takes time to earn trust and achieve widespread
adoption. We also live in an age when lots of new digital novelties sort of
masquerade as breathtaking innovation. How can people be sure passkeys are
worth their time?
They can set up passkeys next time they’re prompted by a service. Spend a
little time, and then save a lot of time and mental energy after that — and be
a lot more secure.
--
This email has been checked for viruses by Avast antivirus software.
www.avast.com
