Google's passkey move: end of passwords? Google's passkey move: end of passwords?

On May 3, 2023 Google published a post titled “The beginning of the end of the password” to its blog. This was the announcement of passkeys becoming the real thing, a feature that the company began to roll out back then, claiming to be making “a major step toward a passwordless future.” Fast forward to October 10, 2023, when Google published another post on the subject, “Passwordless by default: Make the switch to passkeys.” As the title implies, it is both an announcement and an encouragement. The passkeys are here, they are the default authentication vehicle now, so a switch to them is prudent. Or, is it? Let’s dig a bit deeper into the matter and see what’s what.

What are passkeys?

Google Passkey promising paswordless future. Image from GoogleGoogle Passkey promising paswordless future. Image from Google

Try googling this question, and one of the first results suggested by the search engine will be a Wikipedia page. There, things are made less simple than they are. From a user’s perspective, a passkey is a digital code (credential) that simplifies access to a growing range of services, with Google, Apple, and Microsoft spearheading the initiative.

“Simplifies” here means that you don’t have to remember the combination of symbols that lets you into a restricted digital space, like your Google account. Instead, you unlock the device, using a PIN, or your fingerprint, or your face scan, and that’s it, you’re in. You might argue that password management software takes all the fuss out of the flow, but that’s beside the point here. Plus, passkeys do have some other advantages beyond streamlining the processes.

Advantages of passkeys

As mentioned above, using a passkey requires an unlocking routine, i.e., the device you plan to log in to your, say, Google account on, should have a fingerprint/face scanner or be lockable and request a PIN code.

This approach, as explained by all those supporting the initiative, virtually eliminates the risk of phishing and data leaks: the concept implies that only you can unlock the device that lets you in somewhere valuable, and what you use for the purpose simply cannot be shared nor stolen. For now, at least.

Vulnerabilities of passkeys

If you’ve already tried using passkeys on your phone, for example, you may have noticed that if a fingerprint or face scan fails, the device asks for the unlocking code/pattern. This is, regardless of what the experts are saying about passkeys being utterly secure, a vulnerability: an evildoer may not have your physical credentials, but obtaining that code/pattern is more realistic than you think.

Another concern about passkeys that can be found online is that of cookies. When logging in through a browser with a passkey, you create a cookie, which can be stolen. Yes, it’s a whole operation, but it is doable, one way or another.

Is our future passwordless?

Biometrics as primary means of unlocking. Image by storyset from FreepikBiometrics as primary means of unlocking. Image by storyset from Freepik

The two potential weaknesses described above are, of course, relevant for some extreme cases, when someone really wants access with your passkey. Otherwise, the feature – it feels like a feature on the surface, but there is a whole infrastructure underneath, – does make things more simple.

In the dedicated “Ask the Expert” piece Google published to its blog on October 10, 2023, there is a Q&A fragment of interest:

Q: “You talk about a “passwordless future” — will passkeys really replace passwords?”

A: “Yes, passkeys will replace passwords. It’s even broader than that. I’d say our vision for passkeys is to not only get rid of passwords, but also eliminate all the Band-Aids the industry has designed to make up for the fact that passwords are so vulnerable.”

That, give or take, means that passwords WILL fall into oblivion. As for the natural privacy concerns associated with biometrics playing a crucial role in the passkey play, the expert in that piece claims that devices – phones, basically, – were never designed to send such data anywhere, and everything is as local as it can be. We’ll see how that works out.

Author's other posts

I need another break! 5 more free games for short sessions
Article
I need another break! 5 more free games for short sessions
Take a quick break! Discover 5 video games that provide perfect short-term distractions, from Chicken Invaders to War Thunder. Gaming bliss in minutes!
What are AI laptops (computers, PCs)? The basics
Article
What are AI laptops (computers, PCs)? The basics
Some laptops and computers are positioned as AI devices. Let's see what that really means, what are the pros and cons, and who makes such machines now.
Was the iPhone the first phone with a touchscreen?
Article
Was the iPhone the first phone with a touchscreen?
The iPhone is positively a tale revolution, but was it the first phone with a touchscreen? Let's learn the history of the touchscreen technology.
How to read Windows Task Manager: essential processes
Article
How to read Windows Task Manager: essential processes
So what are all those lines in the Task Manager? Learn about the essential processes like svchost.exe, winlogon.exe, and other mysterious items.