05 May 2023

Google Online Security Blog: “So long passwords, thanks for all the phish”

When you add a passkey to your Google Account, we will start asking for it when you sign in or perform sensitive actions on your account. The passkey itself is stored on your local computer or mobile device, which will ask for your screen lock biometrics or PIN to confirm it’s really you. Biometric data is never shared with Google or any other third party – the screen lock only unlocks the passkey locally.

Unlike passwords, passkeys can only exist on your devices. They cannot be written down or accidentally given to a bad actor. When you use a passkey to sign in to your Google Account, it proves to Google that you have access to your device and are able to unlock it. Together, this means that passkeys protect you against phishing and any accidental mishandling that passwords are prone to, such as being reused or exposed in a data breach. This is stronger protection than most 2SV (2FA/MFA) methods offer today, which is why we allow you to skip not only the password but also 2SV when you use a passkey. In fact, passkeys are strong enough that they can stand in for security keys for users enrolled in our Advanced Protection Program.

Arnar Birgisson & Diana K Smetters

I’m no expert in security, but being able to log in seamlessly, without a password, a password manager, or 2FA, sounds like a genuinely useful feature. Microsoft has something similar through the Authenticator app, where you can sign in with only your email address and a confirmation in the app.

Google passkey login flow
Google says the login flow will go something like this, from left to right: type in your username, pick a passkey, scan a finger. Hopefully your device has biometrics.

But the technology still has some way to develop, as support for various features and platforms is very much work-in-progress. I haven’t tried passkeys yet, but from what I’ve read so far some use cases seem rather complicated or difficult to deal with. Signing in for a single session on a device you don’t control involves scanning a QR code and some Bluetooth communication between this device and your personal phone where the passkey is stored.

The most concerning scenario in my view is losing your smartphone, especially when you’re away from home and don’t have your own laptop around with a secondary passkey. Google recommends immediately revoking the passkey associated with the lost device in account settings, but to access your account you need another smartphone or laptop, and your account password, which you may no longer remember if you haven’t use it in a long time due to the convenience of passkeys…

When you do need to use a passkey from your phone to sign in on another device, the first step is usually to scan a QR code displayed by that device. The device then verifies that your phone is in proximity using a small anonymous Bluetooth message and sets up an end-to-end encrypted connection to the phone through the internet. The phone uses this connection to deliver your one-time passkey signature, which requires your approval and the biometric or screen lock step on the phone. Neither the passkey itself nor the screen lock information is sent to the new device. The Bluetooth proximity check ensures remote attackers can’t trick you into releasing a passkey signature, for example by sending you a screenshot of a QR code from their own device.

Passkeys are built on the protocols and standards Google helped create in the FIDO Alliance and W3C WebAuthn working group. This means passkey support works across all platforms and browsers that adopt these standards. You can store the passkeys for your Google Account on any compatible device or service.

Post a Comment