Google's passkey move: end of passwords? Google's passkey move: end of passwords?

On May 3, 2023 Google published a post titled “The beginning of the end of the password” to its blog. This was the announcement of passkeys becoming the real thing, a feature that the company began to roll out back then, claiming to be making “a major step toward a passwordless future.” Fast forward to October 10, 2023, when Google published another post on the subject, “Passwordless by default: Make the switch to passkeys.” As the title implies, it is both an announcement and an encouragement. The passkeys are here, they are the default authentication vehicle now, so a switch to them is prudent. Or, is it? Let’s dig a bit deeper into the matter and see what’s what.

What are passkeys?

Google Passkey promising paswordless future. Image from GoogleGoogle Passkey promising paswordless future. Image from Google

Try googling this question, and one of the first results suggested by the search engine will be a Wikipedia page. There, things are made less simple than they are. From a user’s perspective, a passkey is a digital code (credential) that simplifies access to a growing range of services, with Google, Apple, and Microsoft spearheading the initiative.

“Simplifies” here means that you don’t have to remember the combination of symbols that lets you into a restricted digital space, like your Google account. Instead, you unlock the device, using a PIN, or your fingerprint, or your face scan, and that’s it, you’re in. You might argue that password management software takes all the fuss out of the flow, but that’s beside the point here. Plus, passkeys do have some other advantages beyond streamlining the processes.

Advantages of passkeys

As mentioned above, using a passkey requires an unlocking routine, i.e., the device you plan to log in to your, say, Google account on, should have a fingerprint/face scanner or be lockable and request a PIN code.

This approach, as explained by all those supporting the initiative, virtually eliminates the risk of phishing and data leaks: the concept implies that only you can unlock the device that lets you in somewhere valuable, and what you use for the purpose simply cannot be shared nor stolen. For now, at least.

Vulnerabilities of passkeys

If you’ve already tried using passkeys on your phone, for example, you may have noticed that if a fingerprint or face scan fails, the device asks for the unlocking code/pattern. This is, regardless of what the experts are saying about passkeys being utterly secure, a vulnerability: an evildoer may not have your physical credentials, but obtaining that code/pattern is more realistic than you think.

Another concern about passkeys that can be found online is that of cookies. When logging in through a browser with a passkey, you create a cookie, which can be stolen. Yes, it’s a whole operation, but it is doable, one way or another.

Is our future passwordless?

Biometrics as primary means of unlocking. Image by storyset from FreepikBiometrics as primary means of unlocking. Image by storyset from Freepik

The two potential weaknesses described above are, of course, relevant for some extreme cases, when someone really wants access with your passkey. Otherwise, the feature – it feels like a feature on the surface, but there is a whole infrastructure underneath, – does make things more simple.

In the dedicated “Ask the Expert” piece Google published to its blog on October 10, 2023, there is a Q&A fragment of interest:

Q: “You talk about a “passwordless future” — will passkeys really replace passwords?”

A: “Yes, passkeys will replace passwords. It’s even broader than that. I’d say our vision for passkeys is to not only get rid of passwords, but also eliminate all the Band-Aids the industry has designed to make up for the fact that passwords are so vulnerable.”

That, give or take, means that passwords WILL fall into oblivion. As for the natural privacy concerns associated with biometrics playing a crucial role in the passkey play, the expert in that piece claims that devices – phones, basically, – were never designed to send such data anywhere, and everything is as local as it can be. We’ll see how that works out.

Author's other posts

New form factor of RAM: LPCAMM2
Article
New form factor of RAM: LPCAMM2
The new RAM module is as efficient as soldered sticks and as easily replaceable as slottable RAM.
Is Google building a supersuite of apps managed through AI?
Article
Is Google building a supersuite of apps managed through AI?
A seemingly minor improvement to Google Keep may be the first step of a grand plan.
iOS 18 and its reliance on AI: what’s known thus far
Article
iOS 18 and its reliance on AI: what’s known thus far
iOS 18 is heavily marketed as a groundbreaking iteration of the OS. Let's take a look at the AI side of the buzz.
Microsoft plans to compare ARM laptops to M3 MacBooks
Article
Microsoft plans to compare ARM laptops to M3 MacBooks
Yet another reason to consider a Windows laptop with an ARM processor on board.