Google is rolling out a new security mechanism that will allow users to employ passkeys for account sign in on their various devices, eliminating the need for passwords and raising the bar significantly for attackers attempting account takeovers.
The change goes into effect today and becomes a much more secure option for account holders, even those who already use a hardware security key as part of the login process. Existing login methods are still available, but passkeys now become the option with the highest level of security and attack resistance.
Passkeys are credentials built on the WebAuthn standard that are stored locally on each device and are tied to the biometric authentication method for that device, such as Face ID or a fingerprint reader. The passkey itself comprises a private cryptographic key that the device generates when the user creates a new passkey. The device then creates a corresponding public key that it sends to Google. Each time the user signs in to that device, Google queries the device and requires it to sign a specific, unique challenge with the locally stored private key. This can only happen if the user has unlocked the device. Once that’s done, Google verifies the signed challenge with the public key it holds.
Passkeys have a few key advantages over traditional authentication methods, mainly the fact that each passkey is generated by the device itself and is not knowable or phish-able. Passkeys can be shared between devices under some circumstances, but that’s in the control of the user. Users also can sync passkeys through apps such as password managers.
“Unlike passwords, passkeys can only exist on your devices. They cannot be written down or accidentally given to a bad actor. When you use a passkey to sign in to your Google Account it proves to Google that you have access to your device and are able to unlock it. Together, this means that passkeys protect you against phishing and any accidental mishandling that passwords are prone to, such as being reused or exposed in a data breach,” Arnar Birgisson and Diana K Smetters of the Identity Ecosystems and Google Account Security and Safety teams said.
“This is stronger protection than most 2SV methods offer today, which is why we allow you to skip not only the password but also 2SV when you use a passkey.”
Working groups at the W3C have been developing the underlying protocols and standards for passkeys, including WebAuthn, for many years, with the goal of obviating the need for passwords and other forms of authentication. Many other entities have skin in the game as well, including identity providers and credential managers, and the move away from passwords has been gathering steam for some time. Apple included support for passkeys in iOS 16 last September, Microsoft has announced support for them as well, and other large platform providers likely will roll out support in the coming months.
For enterprises, passkey support across the major platform ecosystems could mean a significant reduction in the headaches connected to password resets and provide much stronger protection against phishing. Even in organizations with mature security programs and security savvy users, highly targeted phishing campaigns can prove quite effective, and such attacks have been the initial access point for some of the more damaging attacks in recent memory.