Do you find it frustrating to remember multiple passwords? We share your frustration, even with the help of password manager apps. Tech giants like Google also acknowledge the security risks that passwords pose for users. Everyone agrees that the situation is problematic. However, a new solution is emerging that could change the game: Passkeys.
Although the term “passkey” may seem similar to “password,” it represents a novel approach to secure logins that addresses the shortcomings of traditional passwords while enhancing the user experience (with the exception of cybercriminals, of course).
With passkeys, Google aims to eliminate the need for traditional passwords that are often reused, compromised, or susceptible to phishing attacks. Instead, users can authenticate their identity by entering their existing phone or computer password, such as a PIN code, fingerprint, or facial recognition. The use of passkeys removes the need for 2-Step Verification (2SV) in Google’s case, making it even easier for users to access their accounts securely.
Google has begun rolling out support for passkeys across Google Accounts on all major platforms. Passkeys are a major transformation in the way we verify our identities online, even though passwords will remain an option for the near future. If you’re interested in discovering more about passkeys and their functionality, continue reading for a detailed guide on how to set up your own passkey.
What is a Passkey
A passkey is a specialized cryptographic key that is linked to your device and can be used to unlock your account when combined with a personal identifier. This key can also be shared with other devices through the Cloud. The passkey authentication process has been designed to be user-friendly and simple, allowing you to log in with a passkey using your face, fingerprint, or a PIN, similar to unlocking your phone with these identifiers.
When a user logs in with passkey technology for the first time, a unique key pair is generated. One key is kept privately on the user’s device and is not shared with any other service. The other key is stored on the service’s servers. The login information is only shared when the two keys match. Users can unlock and share the key using their Android phone’s built-in biometrics or other authentication methods. This process ensures that users’ account information is securely protected.
How to set up a Google Passkey
If you visit a website that supports passkeys, such as those listed below, you can create a new account and use a passkey to secure it instead of a password. During the setup process, the website will ask you to confirm your authenticator, which can be your smartphone, another mobile device, or a password manager that supports passkeys. However, you still need to use another form of verification to access your authenticator, such as a master password with a password manager or biometrics like your face or fingerprint. This not only makes the process more secure, but also eliminates the need to remember a password for your authenticator.
Enabling a Google passkey is a quick and easy process that can be done from your desktop computer, phone, or tablet. Additionally, the setup allows for authorization of multiple accounts, meaning you can access your account from any of your authorized devices. Below are the steps to set up your Google passkey:
- Open your web browser and go to the Google passkey page (g.co/passkeys.com).
- Enter your Gmail address and password if prompted.
- Click the blue “Use passkey” button on the screen that shows your automatically created passkey.
- Tap the blue “Continue” button if you want to create a passkey on your current device. Click the “Use another device” text if you want to set up a passkey on a different device.
- A device-specific sign-in screen will appear, asking you to authenticate using biometric data. If you use a PIN or password to log in to your device, you will be asked to enter it instead.
- Once the passkey created screen appears, click the blue “Done” button.
That’s it.
After successfully logging in with a passkey, the site or service will generate a new token to represent your login session. This token is similar to a cookie and is stored locally on your device. The token is then used to verify that you are still logged in and can continue to access the site or service without needing to enter your passkey again.
It’s worth noting that passkeys are not foolproof and are still susceptible to some of the same security risks as traditional passwords. For example, if someone gains access to your device, they could potentially use your stored passkeys to log in to your accounts. However, the risk is lower since passkeys are not human-readable and are stored locally on your device.
Overall, passkeys represent a significant step forward in online security and provide a convenient and secure alternative to traditional passwords. With more and more sites and services adopting passkey technology, it’s worth considering setting up passkeys for your own accounts to enhance your online security.
The problem with passwords
It’s interesting to note that the first digital password was actually developed in 1961 by a professor of computer science at MIT, Fernando Corbato. He needed a way for multiple users to work on the same computer, and thus the concept of passwords was born. Since then, passwords have become a critical part of our digital lives and we rely on them heavily.
Passwords can be made up of a combination of letters, numbers, and symbols to increase their complexity and security. However, as passwords become more intricate, people tend to have difficulty remembering them, leading to the risky behavior of reusing passwords or choosing simple, easy-to-guess passwords like “123456.”
Passkeys are a possession-based authentication method that leverages advanced cryptography, making them more secure than passwords. Unlike passwords, passkeys do not rely on human-readable shared secrets that are susceptible to attack and easy to bypass.
Passkeys are resistant to classic hacking techniques, such as phishing attempts, as there is no way to share them with third parties. In case of a fake web form, the passkey will not work as there is no authentication for it. Furthermore, passkeys provide robust protection against brute force attacks, as they are incredibly complex and difficult to guess even with the latest hacking software.
This fundamental difference between the two authentication methods changes the paradigm of how people authenticate online by replacing the password with an unphishable primary factor for user authentication that is built into virtually every modern computing device today.
Passkeys offer a more secure authentication method without requiring users to remember anything, making them a promising solution to the security risks associated with passwords.
So passkeys are an improvement on passwords?
Certainly. Several brands have implemented passkey support or developed their own versions. Apple, for instance, has its own passkey system for its ecosystem. Microsoft also accepts them. Moreover, various services and stores, including PayPal and Best Buy, have adopted passkeys.
It is noteworthy that passkeys are not restricted to specific ecosystems. In other words, you don’t need an iPhone to use a passkey on macOS. You can utilize your Android phone. Regardless of the combination of operating systems you use, you can still take advantage of the benefits of passkey protection.
Simplifying Online Security with Google Passkeys
Passkeys work within the Google ecosystem by generating a unique cryptographic key linked to your device, which is then used in combination with a personal identifier to unlock your account. Unlike passwords, passkeys do not rely on human-readable shared secrets, which are prone to attack and can be easily bypassed. Instead, passkeys leverage advanced cryptography and possession-based authentication to provide a secure and convenient way for users to authenticate their identity without having to remember complex passwords.
Passkeys are becoming increasingly popular as a more secure and convenient way to authenticate users. Google is one of the companies leading the way in passkey technology, with support for passkeys in Google Chrome on various platforms. The company has expanded its passkey program to include personal Google accounts, and Workspace users will have access to passkeys in the future.
The passkey process is opt-in, so users can still use passwords and 2SV if they prefer. Those with updated Android operating systems can authenticate their device with two-factor authentication and set up a passkey immediately, without even realizing they are using this new authentication method.
What if I don’t want Google to have a copy of my fingerprint?
Google assures users that their biometric data such as face or fingerprint and PIN are stored locally on their device, which means that Google won’t have access to them. According to Google, the biometric data is never shared with Google or any third-party, and the screen lock only unlocks the passkey locally. This ensures that unauthorized users will not be able to log in as you.
Source