Windows

Google's passkey move: end of passwords?

Google seeks to make our future more hassle-free by removing the need for passwords and replacing them with passkeys. Let's see what is it all about.
J
  • Jim Richards,
  • last month
  • Editor Informer Technologies, Inc.

Google's passkey move: end of passwords? Google's passkey move: end of passwords?

On May 3, 2023 Google published a post titled “The beginning of the end of the password” to its blog. This was the announcement of passkeys becoming the real thing, a feature that the company began to roll out back then, claiming to be making “a major step toward a passwordless future.” Fast forward to October 10, 2023, when Google published another post on the subject, “Passwordless by default: Make the switch to passkeys.” As the title implies, it is both an announcement and an encouragement. The passkeys are here, they are the default authentication vehicle now, so a switch to them is prudent. Or, is it? Let’s dig a bit deeper into the matter and see what’s what.

What are passkeys?

Google Passkey promising paswordless future. Image from GoogleGoogle Passkey promising paswordless future. Image from Google

Try googling this question, and one of the first results suggested by the search engine will be a Wikipedia page. There, things are made less simple than they are. From a user’s perspective, a passkey is a digital code (credential) that simplifies access to a growing range of services, with Google, Apple, and Microsoft spearheading the initiative.

“Simplifies” here means that you don’t have to remember the combination of symbols that lets you into a restricted digital space, like your Google account. Instead, you unlock the device, using a PIN, or your fingerprint, or your face scan, and that’s it, you’re in. You might argue that password management software takes all the fuss out of the flow, but that’s beside the point here. Plus, passkeys do have some other advantages beyond streamlining the processes.

Advantages of passkeys

As mentioned above, using a passkey requires an unlocking routine, i.e., the device you plan to log in to your, say, Google account on, should have a fingerprint/face scanner or be lockable and request a PIN code.

This approach, as explained by all those supporting the initiative, virtually eliminates the risk of phishing and data leaks: the concept implies that only you can unlock the device that lets you in somewhere valuable, and what you use for the purpose simply cannot be shared nor stolen. For now, at least.

Vulnerabilities of passkeys

If you’ve already tried using passkeys on your phone, for example, you may have noticed that if a fingerprint or face scan fails, the device asks for the unlocking code/pattern. This is, regardless of what the experts are saying about passkeys being utterly secure, a vulnerability: an evildoer may not have your physical credentials, but obtaining that code/pattern is more realistic than you think.

Another concern about passkeys that can be found online is that of cookies. When logging in through a browser with a passkey, you create a cookie, which can be stolen. Yes, it’s a whole operation, but it is doable, one way or another.

Is our future passwordless?

Biometrics as primary means of unlocking. Image by storyset from FreepikBiometrics as primary means of unlocking. Image by storyset from Freepik

The two potential weaknesses described above are, of course, relevant for some extreme cases, when someone really wants access with your passkey. Otherwise, the feature – it feels like a feature on the surface, but there is a whole infrastructure underneath, – does make things more simple.

In the dedicated “Ask the Expert” piece Google published to its blog on October 10, 2023, there is a Q&A fragment of interest:

Q: “You talk about a “passwordless future” — will passkeys really replace passwords?”

A: “Yes, passkeys will replace passwords. It’s even broader than that. I’d say our vision for passkeys is to not only get rid of passwords, but also eliminate all the Band-Aids the industry has designed to make up for the fact that passwords are so vulnerable.”

That, give or take, means that passwords WILL fall into oblivion. As for the natural privacy concerns associated with biometrics playing a crucial role in the passkey play, the expert in that piece claims that devices – phones, basically, – were never designed to send such data anywhere, and everything is as local as it can be. We’ll see how that works out.

Author's other posts

Apple adopts Rich Communication Services
Article
Apple adopts Rich Communication Services
Apple finally plans to adopt RCS, or Rich Communication Services, the next-get carrier-supported messaging system.
Lightweight Windows build gets Copilot
Article
Lightweight Windows build gets Copilot
NTDEV, maker of Windows 11 Tiny, a stripped-down version of Microsoft's OS, catches up and releases the next update that incorporates Copilot, an AI assistant.
Bing will summarize pages using GPT4
Article
Bing will summarize pages using GPT4
Microsoft wants to improve its Bing search engine with AI-generated page captions, seeking to enhance user experience
Apple patents 'privacy screens' for iPhones and Macs
Article
Apple patents 'privacy screens' for iPhones and Macs
Apple seeks to enhance physical protection of iPhone and Mac users by limiting screen visibility.