Google Pushes ‘Passkeys’ Plan — but it’s Too Soon for Mass Rollout
“Killing passwords” is a worthy goal—but is coercion the best way?
Here at Blogwatch Towers, we love 2-factor authentication. And the FIDO2/WebAuthn Passkeys standard is the state of the art. But this latest news from Google sounds worrying. I’m conflicted: On the one hand, it promises phreedom from phishing; but on the other hand …
Is it too soon to force people to use Passkeys? In today’s SB Blogwatch, we live on the bleeding edge.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: 1rpm.
FIDO FAIL
What’s the craic? Sergiu Gatlan reports—“Google makes passkeys the default sign-in”:
“Microsoft, Apple and Google”
Google announced today that passkeys are now the default sign-in option across all personal Google Accounts across its services and platforms. After setting up a passkey linked to their device, users can sign into their Google accounts without entering a password.
…
Using passkeys significantly reduces the risk of data breaches … and protects against phishing attacks. … Passkeys are tied to specific devices, such as computers, tablets, and smartphones.
…
They work locally, offer a more secure and convenient alternative to traditional passwords, and enable the use of biometric sensors like fingerprint scanners and facial recognition, along with PINs, hardware security keys, or screen lock patterns. … Microsoft, Apple, and Google revealed their commitment to endorsing passkeys … in May 2022.
Seems a bit quick? Lily Hay Newman rushes in—“Push to Kill the Password”:
“Manages cryptographic keys”
Less than six months ago, Google announced that it was launching support for the password replacement known as “passkeys” for all personal accounts across its billions of users. Today, the company said it is going a step further.
…
Passwords have inherent security problems because they can be guessed and stolen. And since it’s so difficult to keep track of dozens or hundreds of passwords, users often reuse the same passwords on multiple accounts. … Passkeys are specifically designed to address these issues … by instead relying on a scheme that manages cryptographic keys stored on your devices.
…
There’s so much inertia on passwords around the world that even a player as big and influential as Google can’t force the issue overnight. But the company is clearly using its influence to steer users with gentle pressure that seems likely to continue mounting as passkeys gain broader momentum.
Wait. Pause. How is this news? Abner Li fills in the missing piece—“Google Accounts will prompt users at login”:
“Skip password when possible”
Previously, the setup process involved manually going to g.co/passkeys. Google will soon start showing prompts to create passkeys the “next time you sign in to your Google Account.” You have to create a Google Account passkey for each phone, tablet, laptop, and desktop, while passkeys obviates the need for Google’s 2-Step Verification.
…
Users can still just use their password over passkeys by turning off the “Skip password when possible” option. If a device is lost, you can revoke Google Account passkeys in settings.
Remind me how this is better than regular 2FA? u/kschang sums it up:
Passkeys are “better” in the sense that it utilizes your personal devices’ security, and presumably you’d want those to work correctly first (fingerprint, face, PIN, etc.) … then use that to base your login to Google on. This is safer than simply giving control to a SMS recipient.
Got it? Flavianoep doesn’t get it, still:
I still don’t get it. What’s the difference between a … PIN and a password?
Quite a lot, presumably. sakjur explainifies thuswise:
The PIN wouldn’t be transmitted to the server but rather unlock a vault containing cryptographic keys on your device that then sign an intent to log in. So it’s passwordless for the website operator, and for the user the password is no longer enough to log in to a website, since you also need access to the vault.
Clear as mud. u/speel has another go:
What a passkey is: It’s an exchange between your device and the service you use. Your computer creates a random string of text and numbers called a private key, it then takes that key and computes another string called the public key, which the website keeps. Through math, you’re then authenticated.
Ah, math. Sounds too hard. Shakrai has no time for that attitude:
I do cyber-security and compliance for a living. Want me to list all the incidents I’ve responded to with five and six digit financial losses that would have been prevented by the simple action of having MFA?
My favorite: The law firm that declined my company’s free MFA implementation, because—and I quote verbatim—”Our people are too smart to get phished.” Yeah, they got phished—and they lost $250,000 and several clients. … But hey, if you’d rather learn the lesson the hard way, Godspeed.
Meanwhile, u/Sweaty_Astronomer_47 doesn’t fancy being on the bleeding edge:
It seems with Passkeys things are evolving. I’m mostly taking a wait and see approach to see how it settles. I doubt any major players will allow anything unsafe, but we can’t assume they’ll all handle it the same way.
And Finally:
Hat tip: Tom Scott
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: George Hodan (cc:0; leveled and cropped)