Introduction

Passwords are one of the most common and widely used methods of authentication on the web. However, passwords also have many drawbacks and limitations that make them vulnerable to various types of attacks, such as phishing, brute force, credential stuffing, and password reuse. Moreover, passwords are often hard to remember and manage, especially for users who have multiple accounts on different websites and applications.

To address these challenges, a new standard of authentication has emerged: passkeys. Passkeys are digital credentials that are securely stored on the user’s device and protected by biometric sensors (such as fingerprint or facial recognition), PINs, or patterns. Passkeys allow users to sign in to websites and applications without having to enter a username or password, or provide any additional authentication factor. Passkeys are also unique to each website or application, so they cannot be reused or compromised by attackers.

In this article, we will explain what passkeys are, how they work, what are their benefits and challenges, and how Google is adopting them as the default sign-in method for personal accounts.

What are passkeys?

Passkeys are a type of passwordless authentication, promoted by the World Wide Web Consortium (W3C) and the FIDO Alliance¹. Passkeys are based on the Web Authentication (WebAuthn) standard², which defines an API for creating and using public key-based credentials on the web. Passkeys are also compatible with the FIDO2 protocol³, which enables interoperability between different platforms and devices that support passwordless authentication.

A passkey is a digital credential that is used as an authentication method for a website or application. The passkey consists of a public key and a private key pair, which are generated and stored on the user’s device. The public key is registered with the website or application during the account creation process, while the private key is never shared with anyone. The private key is protected by the device’s biometric sensor (such as fingerprint or facial recognition), PIN, or pattern, which acts as a local authentication factor.

When the user wants to sign in to a website or application that supports passkeys, they simply need to use their device’s biometric sensor, PIN, or pattern to unlock their private key. The device then uses the private key to sign a challenge sent by the website or application, which verifies the user’s identity and grants them access. The user does not need to enter a username or password, or provide any additional authentication factor.

How do passkeys work?

  1. The user visits a website or application that supports passkeys and chooses to create an account using a passkey.
  2. The website or application sends a challenge to the user’s device, which generates a public key and a private key pair for that website or application.
  3. The user uses their device’s biometric sensor, PIN, or pattern to protect their private key.
  4. The device sends the public key and some metadata (such as device name and type) to the website or application, which registers them as a credential for that user account.
  5. The user can now sign in to that website or application using their passkey.
  6. The website or application sends another challenge to the user’s device, which uses the private key to sign it.
  7. The device sends the signed challenge back to the website or application, which verifies it using the public key and grants access to the user.

What are the benefits of passkeys?

Passkeys offer several advantages over passwords as an authentication method:

What are the challenges of passkeys?

Passkeys also have some limitations and challenges that need to be addressed:

How is Google adopting passkeys?

Google is one of the leading proponents and adopters of passkeys as an authentication method. Google has been experimenting with passkeys since 2018⁴, and has recently announced that it will make passkeys the default sign-in method for personal accounts⁵. Google claims that passkeys are more secure, convenient, and private than passwords, and that they will improve the user experience and satisfaction.

Google is rolling out passkeys gradually to its users, starting with Android devices that support biometric sensors. Users can opt in to use passkeys for their Google accounts by following these steps⁶:

  1. Open your Google Account settings on your Android device.
  2. Tap Security.
  3. Tap Sign in to Google.
  4. Tap Use your phone to sign in.
  5. Tap Set it up.
  6. Follow the on-screen instructions.

Once you enable passkeys for your Google account, you can sign in to any Google service (such as Gmail, YouTube, or Google Photos) using your device’s biometric sensor, without having to enter a password. You can also use passkeys to sign in to other websites and applications that support WebAuthn or FIDO2 protocols.

Google also provides some options for users to manage and recover their passkeys, such as:

Google plans to expand passkeys to more devices and platforms in the future, such as iOS devices, Chromebooks, Windows PCs, and Macs. Google also hopes that more websites and applications will adopt passkeys as an authentication method, and that users will embrace passkeys as a better alternative to passwords.

Passkeys are a new way to authenticate on the web that offer several benefits over passwords, such as security, convenience, and privacy. Passkeys are based on the WebAuthn standard and the FIDO2 protocol, which enable passwordless authentication using public key cryptography and device biometrics. Passkeys are unique to each website or application, and do not require any shared secrets or additional authentication factors.

Passkeys also have some challenges and limitations that need to be addressed, such as adoption, compatibility, and recovery. Passkeys need to ensure interoperability between different devices and platforms that support passwordless authentication, and provide a secure and reliable way for users to recover their accounts in case of device loss or damage.

Google is one of the leading adopters of passkeys as an authentication method, and has recently made passkeys the default sign-in method for personal accounts. Google claims that passkeys will improve the user experience and satisfaction, and hopes that more websites and applications will support passkeys in the future.

Passkeys are a promising technology that aims to replace passwords as the dominant authentication method on the web. Passkeys have the potential to make the web more secure, convenient, and private for users and developers alike.

References

¹: Passkey (authentication) – Wikipedia
²: Web Authentication: An API for accessing Public Key Credentials Level 3
³: FIDO2: WebAuthn & CTAP
⁴: What the hell are passkeys and why are they suddenly everywhere? – Engadget
⁵: Google makes passkeys the default sign-in for personal accounts
⁶: Privacy & Terms – Google