Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Google is Rolling out Passkeys to Make Passwords a Relic of the Past

Google is Rolling out Passkeys to Make Passwords a Relic of the Past

This item in japanese

Google has begun rolling out support for passkeys across Google Accounts on all major platforms. Passkeys will be available as an additional authentication option alongside pre-existing mechanisms, including passwords, 2-step verification, and so on.

According to Google, passkeys provide an easier and more secure way for an user to get authenticated.

Passkeys let users sign in to apps and sites the same way they unlock their devices: with a fingerprint, a face scan or a screen lock PIN. And, unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one-time codes.

Passwords are notoriously hard to manage for users, who need to create and remember a multitude of strong passwords, distinct for each service they use. In fact, as strong as they may be, passwords do not protect users from the possibilities of phishing and are ever more frequently used along with an additional mechanism, two-factor authentication (2FA), which has its own drawbacks.

Under the hood, passkeys are cryptographic private keys that are stored on users' devices, while the corresponding public keys are uploaded to Google. When a user attempts to sign in to Google using a passkey, Google will ask their device to sign a challenge using the private key.

The signature proves to us that the device is yours since it has the private key, that you were there to unlock it, and that you are actually trying to sign in to Google and not some intermediary phishing site.

The challenge can only be signed if the user unlocks their device, a step which can leverage advanced biometric hardware available on many devices, including fingerprint and face recognition. Alternatively, a more traditional PIN can be used. According to Google, any biometric data is not shared outside of the signing device, which only sends out the public key and the signature.

Google has also defined a mechanism to use your phone to sign in on another device, which is crucial when you need to access your account from a shared device. In this case, the device will first check that the phone is nearby using Bluetooth, then it will show a QR code that the phone scans and uses to generate a one-time passkey signature, if the user authorizes it. The new device does not receive either the passkey nor any biometric information.

A passkey resides on an individual device and each device will need to get its own passkey, which can become cumbersome. To circumvent this, passkeys can be shared across all of your devices. Google does not provide a universal mechanism for this, but users can rely on iCloud Keychain for Apple devices and on Google Password manager for Android and Chrome devices for a seamless experience. Unfortunately, this does not enable sharing a passkey across, say, iPhone and Android devices, unless a third-party SSH key manager is used. Notably, Microsoft does not provide yet an official solution to share secrets across Windows devices.

To create a passkey for your Google account, you need to use a dedicated domain for the time being.

Google has been working with Apple and Microsoft for the last year to define standard approaches, including FIDO and W3C WebAuthn for passwordless authentication that can be adopted industry-wide.

About the Author

Rate this Article