Say goodbye to passwords (eventually) and hello to Passkeys. But hang on… what’s a Passkey?
How Do I? covers the basics, because we’ve all got to start somewhere.
Google has announced that Google Accounts can now opt in to use Passkeys to authenticate their Google Accounts.
So instead of having to remember a password, you’ll be able to use a simpler and more secure passkey to log into your Google account for Gmail, Google Photos or any other of Google’s many, many apps and services.
Which sounds neat in a technical jargon kind of way, but I know what you’re thinking.
You’re wondering whether you should have another cup of coffee.
The answer there is yes, and once your brain fog has lifted, you’re also wondering what a passkey is.
What is a Passkey?
Passkeys are an industry standard — this isn’t just Google going it alone, as it’s also a technology developed by the likes of Apple and Microsoft — for authentication to accounts and services using a cryptographic key, rather than (and very much intended to replace) the old-fashioned password that you’re used to using.
What’s wrong with passwords?
They’re not terribly secure, mostly because human beings have human brains.
Human brains are lazy lumps of meat, and we all too often tend to fall into lazy patterns, like using simple passwords, or re-using passwords, or falling victim to phishing traps where we enter our complex passwords into fake websites, and…
You get the idea. It’s not that everyone’s an idiot, but the problems with passwords as a simple security measure run pretty deep.
I thought two-factor authentication was meant to solve this?
Sort of. Two factor authentication (2FA, or MFA if you’re talking multi-factor authentication, because you can layer it) uses a password and another factor — often an SMS, but sometimes an authenticator app or hardware dongle — to prove your authenticity to a login request.
2FA is more secure than a simple password on the face of it, but there are some issues that make it difficult to enforce for end-users, and in some cases not all that secure.
Often you’ll see 2FA used with SMS, sending you a one-time access code. The issue here is that if your phone account is hijacked, your SMS security goes down the drain with it; you might think you’re secure but you’re not if the very codes that are meant to secure you are instead going to the people who want to do serious harm to your bank account or identity.
The other issue there is friction. 2FA methods rely on that second factor actually getting to you, and many people don’t want the hassle, or find themselves locked out when (for example) travelling internationally if SMS isn’t working on their phones or they left their authenticator dongle on their desk at work.
So how does a Passkey solve for this?
Passkeys work (and this is a bit of simplification, but it’ll do, I think) as a kind of hybrid login method, relying on a cryptographic two-part key system.
One part is stored on your device — this could be your phone or your laptop or your tablet — and the other is stored by the secure authority; in this case Google, though again this is a tech standard so it’s already in (for example) Apple’s iOS platform as well.
If you want to sign into Google, it sends a challenge to your enrolled device, trying to match the key it already knows.
Think of it like those tacky partner love-heart keychains that some people buy. Unless both parts of the heart match, you’ll get no love — or at least, no access to the account.
Isn’t that just as complex and insecure?
It shouldn’t be. The idea here is that you’ll do the following to log into a passkey-enabled account:
- Head to the site, service or app that uses Passkeys
- Validate using your phone and some identifying factor — this could be biometric, like a fingerprint or FaceID, or a PIN, but it’s unique to that device you’ve already enrolled.
- The device authenticates with the app, site or service automatically as a result.
- You’re in.
If you’ve ever used contactless payment on your phone with a fingerprint or FaceID, it should be that smooth — and that secure.
Which is not to say that Passkeys are bulletproof. A lost device with an insecure unlocking method for authentication would still be a way into an account, for example.
So maybe it’d be a bad idea to set your passkey phrase to “12345”. Just an idea.
I want in! How do I do get a passkey for my Google Account?
Google has a setup form at g.co/passkeys that you can use to sign up. And if you don’t trust me or think that link might have been compromised, feel free to search it up yourself and link through that way.
Does this mean I HAVE to sign up for a passkey to use Google?
No — or at least, not yet.
Google’s announcement blog notes that you can still use traditional passwords and 2FA for the time being. It does note that passkeys are where it sees account security going in the future, however.
Fun final fact: Today, May the 4th is World Password Day. Although Google is US-based, so it’s announced it (relative to Google time) a day early.
Also a significant day for Star Wars fans. I wonder if R2-D2 hacked the Death Star by bypassing a passkey?