Introduction
Passwords are one of the most common and widely used methods of authentication on the web. However, passwords also have many drawbacks and limitations that make them vulnerable to various types of attacks, such as phishing, brute force, credential stuffing, and password reuse. Moreover, passwords are often hard to remember and manage, especially for users who have multiple accounts on different websites and applications.
To address these challenges, a new standard of authentication has emerged: passkeys. Passkeys are digital credentials that are securely stored on the user’s device and protected by biometric sensors (such as fingerprint or facial recognition), PINs, or patterns. Passkeys allow users to sign in to websites and applications without having to enter a username or password, or provide any additional authentication factor. Passkeys are also unique to each website or application, so they cannot be reused or compromised by attackers.
In this article, we will explain what passkeys are, how they work, what are their benefits and challenges, and how Google is adopting them as the default sign-in method for personal accounts.
What are passkeys?
Passkeys are a type of passwordless authentication, promoted by the World Wide Web Consortium (W3C) and the FIDO Alliance¹. Passkeys are based on the Web Authentication (WebAuthn) standard², which defines an API for creating and using public key-based credentials on the web. Passkeys are also compatible with the FIDO2 protocol³, which enables interoperability between different platforms and devices that support passwordless authentication.
A passkey is a digital credential that is used as an authentication method for a website or application. The passkey consists of a public key and a private key pair, which are generated and stored on the user’s device. The public key is registered with the website or application during the account creation process, while the private key is never shared with anyone. The private key is protected by the device’s biometric sensor (such as fingerprint or facial recognition), PIN, or pattern, which acts as a local authentication factor.
When the user wants to sign in to a website or application that supports passkeys, they simply need to use their device’s biometric sensor, PIN, or pattern to unlock their private key. The device then uses the private key to sign a challenge sent by the website or application, which verifies the user’s identity and grants them access. The user does not need to enter a username or password, or provide any additional authentication factor.
How do passkeys work?
- The user visits a website or application that supports passkeys and chooses to create an account using a passkey.
- The website or application sends a challenge to the user’s device, which generates a public key and a private key pair for that website or application.
- The user uses their device’s biometric sensor, PIN, or pattern to protect their private key.
- The device sends the public key and some metadata (such as device name and type) to the website or application, which registers them as a credential for that user account.
- The user can now sign in to that website or application using their passkey.
- The website or application sends another challenge to the user’s device, which uses the private key to sign it.
- The device sends the signed challenge back to the website or application, which verifies it using the public key and grants access to the user.
What are the benefits of passkeys?
Passkeys offer several advantages over passwords as an authentication method:
- Security: Passkeys are resistant to phishing attacks, as they do not rely on shared secrets that can be stolen or guessed by attackers. Passkeys are also immune to credential stuffing attacks, as they are unique to each website or application and cannot be reused across different services. Moreover, passkeys are protected by the device’s biometric sensor, PIN, or pattern, which adds another layer of security and prevents unauthorized access if the device is lost or stolen.
- Convenience: Passkeys eliminate the need for users to remember and manage multiple passwords for different accounts. Users can simply use their device’s biometric sensor, PIN, or pattern to sign in to any website or application that supports passkeys. Passkeys also reduce the friction and frustration of entering complex passwords on small screens or keyboards.
- Privacy: Passkeys do not reveal any personal information about the user to the website or application, such as their email address or phone number. Passkeys only share some metadata about the device (such as device name and type), which can be used for display purposes only. Passkeys also do not require any third-party services or intermediaries for authentication, such as social media platforms or identity providers.
What are the challenges of passkeys?
Passkeys also have some limitations and challenges that need to be addressed:
- Adoption: Passkeys are a relatively new and emerging standard of authentication, and not all websites and applications support them yet. Users may still need to use passwords for some services that do not offer passkeys as an option. Moreover, users may not be aware of or familiar with passkeys, and may need some education and guidance on how to use them effectively.
- Compatibility: Passkeys rely on the device’s biometric sensor, PIN, or pattern to protect the private key, which may vary in quality and availability across different devices and platforms. Users may also have different preferences and expectations for their authentication methods, such as using a fingerprint or a facial recognition. Passkeys need to ensure compatibility and interoperability between different devices and platforms that support passwordless authentication.
- Recovery: Passkeys are tied to the user’s device, which means that if the device is lost, damaged, or replaced, the user may lose access to their accounts that use passkeys. Passkeys need to provide a secure and reliable way for users to recover their accounts in case of such scenarios, such as using backup codes, recovery emails, or phone numbers.
How is Google adopting passkeys?
Google is one of the leading proponents and adopters of passkeys as an authentication method. Google has been experimenting with passkeys since 2018⁴, and has recently announced that it will make passkeys the default sign-in method for personal accounts⁵. Google claims that passkeys are more secure, convenient, and private than passwords, and that they will improve the user experience and satisfaction.
Google is rolling out passkeys gradually to its users, starting with Android devices that support biometric sensors. Users can opt in to use passkeys for their Google accounts by following these steps⁶:
- Open your Google Account settings on your Android device.
- Tap Security.
- Tap Sign in to Google.
- Tap Use your phone to sign in.
- Tap Set it up.
- Follow the on-screen instructions.
Once you enable passkeys for your Google account, you can sign in to any Google service (such as Gmail, YouTube, or Google Photos) using your device’s biometric sensor, without having to enter a password. You can also use passkeys to sign in to other websites and applications that support WebAuthn or FIDO2 protocols.
Google also provides some options for users to manage and recover their passkeys, such as:
- Viewing and deleting the devices that have passkeys for your account.
- Adding or removing backup methods (such as backup codes, recovery email, or phone number) for your account.
- Resetting your account if you lose access to your device or passkey.
Google plans to expand passkeys to more devices and platforms in the future, such as iOS devices, Chromebooks, Windows PCs, and Macs. Google also hopes that more websites and applications will adopt passkeys as an authentication method, and that users will embrace passkeys as a better alternative to passwords.
Passkeys are a new way to authenticate on the web that offer several benefits over passwords, such as security, convenience, and privacy. Passkeys are based on the WebAuthn standard and the FIDO2 protocol, which enable passwordless authentication using public key cryptography and device biometrics. Passkeys are unique to each website or application, and do not require any shared secrets or additional authentication factors.
Passkeys also have some challenges and limitations that need to be addressed, such as adoption, compatibility, and recovery. Passkeys need to ensure interoperability between different devices and platforms that support passwordless authentication, and provide a secure and reliable way for users to recover their accounts in case of device loss or damage.
Google is one of the leading adopters of passkeys as an authentication method, and has recently made passkeys the default sign-in method for personal accounts. Google claims that passkeys will improve the user experience and satisfaction, and hopes that more websites and applications will support passkeys in the future.
Passkeys are a promising technology that aims to replace passwords as the dominant authentication method on the web. Passkeys have the potential to make the web more secure, convenient, and private for users and developers alike.
References
¹: Passkey (authentication) – Wikipedia
²: Web Authentication: An API for accessing Public Key Credentials Level 3
³: FIDO2: WebAuthn & CTAP
⁴: What the hell are passkeys and why are they suddenly everywhere? – Engadget
⁵: Google makes passkeys the default sign-in for personal accounts
⁶: Privacy & Terms – Google