Man, the amount of fearmongering and anti-Google rhetoric in this thread makes me sad. Passkeys are almost entirely a good thing and are supported by many big and small companies.

No, it won’t lock you into Google, it’s an open web standard. Google will have an Authenticator, Apple will, and third parties will spring up to support it as well. And there’s no lock in, you can get a new passkey when you want to switch devices or providers.

No, someone who gets access to your device can’t get access to everything if you have basic security hygeine. Secure your passkeys with a secondary password or use biometric authentication.

Yes, it’s almost a straight upgrade to text passwords. They are immune to phishing attacks and other social engineering tricks, and you don’t need to remember long strings of numbers and letters anymore.

Do your research people, sheesh.

While I would agree this sounds more secure, I'm always worried about people getting further locked in to Google's products.

Hopefully this system won't take accounts "hostage" by requiring you use Chrome to log in to them, but it's Google, so...

EDIT: I'm wrong, passkeys are stored per-device and can be shared between devices using an open standard. Here's a video explaining the basics. It addresses my concern at around the 2:50 mark.

Nope. Not going to have my entire digital everything depend on me not losing or breaking a single electronic device.

It's definitely more secure, since stealing someone's phone is much more difficult to scale up compared to stealing passwords.

I have a long list of questions about PassKeys and none of this articles explains them well enough.

1. Does Android have it build in AOSP or Google Play Services?
2. Would it be possible to actually see your private key on Android? Like export them to a file?
3. Does they work without third party service? Can it be just me and the service I am logging in, or does it require my servers from PassKey provider (like Google, Bitwarden, 1Password) to work?
4. Can it be used offline? For example, can an offline device create token that second online device could use for login? (Like TOTP codes).
5. Does they work on other Internet services than the Web? In other words, does they work purely over HTTP and webviews or can they be in future used to login in for ex. SSH servers?

Someone else correct me if I’m wrong but it works similar to PGP.

Background info:

• Your device generates two keys, a private key and a public key
• The public key can be given to anyone and the private key stays with you
• The public key is used to encrypt data and the private key is used to decrypt it

Usage:

1. You sign up for a service with all the normal info minus a password and click submit
2. In the background, a private key is generated and stored in iCloud Keychain, Google Passwords, or a 3rd party password manager (so all your devices can access it). A public key is also generated and given to the service
3. Now you try and login. You enter your username and click login
4. In the background, the server encrypts a challenge, token, or some piece of data and sends it to your device
5. Your device decrypts that piece of data with the private key associated with the website
6. At this point, your device either sends the decrypted data back to the server in exchange for an access token or maybe you decrypted the access token (not sure exactly how that will work. If it’s the former, the data would still be encrypted via ssl so only you and the server would see it)
7. Now you are logged in

Closing:

So, it’s supposed to be more secure because every time you login, you never type in a password that gets transferred to the server for verification. The server is sending your device data to verify so that it can then verify you. This mainly prevents phishing and the reuse of passwords but I suppose if someone hacks into your iCloud account or whatever, they have the keys to the kingdom 🤷‍♂️

people have really unsecure pins.

Ok but what's unsecure with '1111' as long as I'm not telling the order of the digits to anybody?

Fuck google.

passkeys sounds good on paper and for most users on day to day stuff should improve their security. But the failure path is horrible and it happens at the worst case most of the time. If I have the keychain on the phone and lose it or is out of battery and usually happens that I need to access some service like email, then if the email provider starts forcing people to use passkeys or you only have that method on, then I'm locked out of the account and can't use email. This will happen for all other services that one may need to use on an emergency. Personally I don't like it.

Am not buying the idea. It sounds great on paper but in reality it doesn't feel better. So idea is you have private and public keys, like many other forms of encryption out there. Private is stored on your device, and public is stored on account holder, like Google. Since keys are mathematically linked anything signed with private key can be verified by public key and vice-versa.

This is great technology and has been proven for decades now. It essentially means your device and account holder can exchange data without anyone ever finding out your private key since it never leaves your device.

However, issues. Keys are backed up somewhere and still depend on password, be it pin or regular old password. Recovering lost key means using password still. That means attack vector has just shifted and they won't try to steal your key but social engineer their way into phishing your original password, making the whole thing a bit pointless.

Another things that worries me is the possibility each device will have its own key, although they claim transferable. Depending on what data is used to authenticate and prove device is owned properly this can be used to fingerprint users. For example IMEI or some other unique id, etc. Something that's not easily done with passwords.

Biggest one is the fact it will negate two factor authentication. Verifying code on your phone and knowing password is difficult to exploit since it requires a lot of effort... possession of the device and knowledge of password. But with passkeys, there's no password to remember and everything boils down to owning a device. They are then relying on the OS and device itself not to leak sensitive information. Not something I'd rely on.

Also, private key being backed up on Google means should they ever leak data someone can get everything they need to access your account. Private keys being protected by simple pin or password means nothing and would probably be easily broken due to simple nature of the protection.

Am not convinced this will see such high adoption as so many are claiming it will have.

This video about passkeys is fascinating. They are very secure even if your pin is 1234. The only way for someone to hack your account is if they have your device.

How long do you think this will last until they kill it?

This is the best summary I could come up with:

Google is taking a big step toward making passkeys the default login option for its users.

Starting today, users logging in to personal Google accounts will be prompted to create and use passkeys instead of passwords when possible.

They’re both easier to use and more secure than passwords, so users no longer need to rely on the names of pets, birthdays or the infamous “password123.” Instead, passkeys let users sign in to apps and sites the same way they unlock their devices: with a fingerprint, a face scan or a screen lock PIN.

And, unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one-time codes.

Google has been experimenting with passkeys across numerous products, including Chrome, over the past year.

Users who want to forgo passkeys can uncheck the "skip password when possible" option in their accounts.

The original article contains 289 words, the summary contains 146 words. Saved 49%. I'm a bot and I'm open source!