Passkey support has been included in Google Chrome Stable M108 to replace passwords, the search engine giant announced in a blog. Back in October 2022, testing with passkeys started in Google Canary for Windows 11, macOS, and Android. That has now culminated in Google’s decision to roll the technology out to the public. All these efforts are part of mainstreaming passwordless authentication as the next frontier in device security.
Google announced its plans to go passwordless in May 2022 in a blog titled One Step Closer to a Passwordless Future. For years, Google, Apple, Microsoft, FIDO Alliance, and W3C have all been working together to develop authentication standards.
From Passwords to Passkeys
Although they welcomed the development, cybersecurity experts also expressed their disappointment over the late release of such an invaluable technology. Given the damage password vulnerabilities cause, including compromising password managers, passkeys should have come a lot sooner.
Referring to password vulnerabilities, the Chromium blog acknowledged it as the motivator behind Google’s other security technologies. These include two-step verification and Google Password Manager. Now, the blog asserted, is the time for passkeys, as they’re the next step in the evolution of impenetrable device security and privacy.
Theoretically, passkeys will eliminate a lot of the vulnerabilities that passwords have. For example, it’s practically impossible to leak out passkeys as they exist only on one physical device—instead of existing on servers. Unlike passwords, users can’t use the same passkey for other logins. Passkeys aren’t exchangeable online. They’re tied to specific devices, and users can auto-fill them into forms. In short, passkeys are exponentially more secure than previous methods of credential management.
In contrast, passwords are easily forgotten and compromised. According to HYPR, in 2022, 64% of companies that experienced a phishing attack didn’t change their approach towards passwords. Besides their susceptibility to breaches, passwords are complex and difficult to memorize. With so many applications and websites, it’s impossible to keep track of all the passwords to each. And, as is the case in such situations, employees will just write them down next to their computers, where anyone can take a peek. However, with passkeys, no one has to remember anything.
A Closer Look at Passkeys—More Support Needed
Currently, the biggest issue is that developers need to enable passkey support on their websites and software products. This is likely to take time to implement on a large scale. In the meanwhile, passwords will stay for the transition.
Experts advising on adding passkey support suggest using WebAuthn API. This technology creates a cryptographic key pair for each visit to a site. The private key never leaves the user’s device, while the website uses only the public key. When signing in to a website or application, only an encrypted code is shared with the site or app. In this way, everything remains tightly secured.
The private key is sent in an encrypted format when backing up keys. On Android, Google Password Manager (or other third-party password managers) manage keys to prevent lockouts. On iOS and macOS, users can sync their passkeys via iCloud Keychain. Microsoft, however, plans to add passkey support in 2023.
Others have pointed out that passkeys would leave Google with access to private information. Although mega corporations using private information for their own profits wouldn’t be something out of the blue, the allegation doesn’t hold up in this instance. Private key encryption these passkeys use will also limit Google from accessing any private information on a user’s device.
What’s Behind the Push for Upgrading User Authentication?
Google isn’t the only entity stepping up authentication and password management. In the US, the TSA plans to take facial recognition technology nationwide—a measure that would take user identification to a different level. Recently, Apple announced end-to-end encryption (E2EE) for 14 data categories, including passwords. Apple’s Advanced Data Protection protects users’ sensitive iCloud data even during a breach. Catching inspiration, Twitter is also set to introduce E2EE for messaging.
Password management is a concerning issue in commercial organizations as well. In general, user identification technologies, of which passkeys will be a major part, will get more and more attention. This will especially be the case due to the rising number of data breaches, phishing scams, and online attacks that affect various industries.
Business owners can learn from all this discussion about user authentication protocols. A simple measure like providing an employee with a physical device for logging in to company applications can reduce the cybersecurity budget and limit authentication-related breaches. A cybercriminal might still phish employees, but accessing information would be a lot tougher without access to the physical device that holds it.
However, these measures don’t remove the need for network security protocols. For instance, a disgruntled employee could wilfully take the company device off-premises. Besides, you don’t want to rely on one type of security measure alone. Cybercriminals use multiple ways to penetrate networks and next-generation firewalls. So, companies need multiple layers of protection to defend themselves. In countering their use of multifaceted attack vectors, it’s important for companies to have threat detection tools and web application filtering on hand.
The End of the Username-Password Model?
We could be in the midst of a transition from the username-password model. Google, Apple, Microsoft, FIDO Alliance, and W3C are calling for a new, enhanced authentication mechanism.
Awareness campaigns regarding phishing and social engineering scams have fallen flat, and network compromises continue unabated. The username-password model no longer serves its purpose. In a moment like this, passkeys offer an excellent solution to ever-worsening user privacy and device security problems.