• by  Yash Rana
• Technology

Google Introduces Passkeys, but They're Not New!

Introduction: 

The internet is abuzz with Google's introduction of Passkeys for passwordless login. However, Google isn't the pioneer in this innovative technology. In this blog, we'll explore the concept of Passkeys, their advantages, and how they're transforming online authentication.

Passkeys: Simpler, Safer Login Solution

Passkeys are a password replacement that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are resistant to phishing, are always strong, and are designed so that there are no shared secrets.

They simplify account registration for apps and websites, are easy to use, work across all of a user’s devices, and even other devices within physical proximity.

From a technical standpoint, passkeys are “discoverable” FIDO credentials for passwordless authentication. The cryptographic keys are used from end-user devices (computers, phones, or security keys) that are used for secure user authentication.

Passkeys that are managed by phone or computer operating systems are automatically synced between the user’s devices via a cloud service. The cloud service also stores an encrypted copy of the FIDO credential. Passkeys can also by design be available only from a single device from which they cannot be copied. Such passkeys are sometimes referred to as “single-device passkeys”. For example, a physical security key could contain multiple single-device passkeys.

Advantages of Passkeys Over Traditional Passwords

Simplified account registration: Passkeys streamline the registration process for apps and websites, making it hassle-free for users.

Cross-device functionality: Passkeys work across all user devices and can even be used on other devices within physical proximity.

Resistance to phishing: Unlike passwords, Passkeys are less vulnerable to phishing attacks, providing an added layer of security.

Passkeys vs. Password + Second Factor

For years, passwords have been subject to phishing attacks and credential stuffing attacks, due to the prevalence of password reuse and database breaches.

Because the primary factor — the password — is fundamentally broken in multiple ways, the industry has seen widespread adoption of layering on an additional second factor. But unfortunately, the most popular forms of second factors — such as one time passwords (OTPs) and phone approvals — are both inconvenient and insecure. They can be phished, and they are being phished at scale today.

Since passkeys are FIDO credentials, we now have a primary factor that — standing alone — is more secure than the combination of either “password + OTP” or “password + phone approval”.

Using Passkeys: Seamless User Experience

When signing into an app or website, users can authenticate using their biometric data or PIN instead of a username and password. This offers a seamless experience while ensuring that biometric information remains secure on the device.

Is the user’s biometric information safe?

Yes. There is no change to the local biometric processing that the user devices (mobile phones, computers, security keys) do today. Biometric information and processing continues to stay on the device and is never sent to any remote server — the server only sees an assurance that the biometric check was successful.

Google Passkeys vs. FIDO Passkeys

Google Passkeys is a specific implementation for Google services, while FIDO Passkeys refer to the broader concept of passwordless authentication using FIDO standards. Companies like Apple and Microsoft also offer Passkeys compatible with FIDO2.

In conclusion, Passkeys provide a secure and convenient alternative to traditional passwords. As more companies adopt this technology, users can enjoy a safer, more seamless online experience.

Previous Next