Google recently revealed that they are working on their new passwordless feature also known as Passkeys, which is to be rolled out for Chrome and Android.
The Tech Giant Google has announced that they are working on a Passwordless feature known as Passkeys, which is to be rolled out for Android and Chrome.
Passkeys are a safe and easy replacement for passwords. With Passkeys, users can easily sign in to apps and websites using biometrics sensors (Fingerprint, Face Recognition), PIN, or pattern, freeing them from having to remember and manage passwords.
Passkeys can replace passwords and second factors in a single step. User experience will be as simple as auto-filling in the passcodes. Passkeys provide Robust protection against phishing attacks, Hijacking attacks, SMS or app-based OTP (One Time Passwords), and Data breaches. Passkeys work among most devices in the operating system. Since passkeys are standardized, a single implementation enables a passwordless experience across different browsers and operating systems.
What Are Passkeys?
A passkey is a digital credential, tied to a user account and a website or application. Passkeys allow the user to authenticate without entering a username, password, or other authentication factors. This technology aims to replace legacy authentication mechanisms such as passwords.
Passkeys use the Biometrics Sensors (Fingerprint scanner, Face Recognition ) present on your mobile devices to authenticate with your passwords. When a user wants to sign in to an account, the website or app will let you choose the assigned passkey for a connected google account. The experience is similar to how saved passwords work today. To make sure only the rightful owner can use a passkey, the system will ask them to unlock their device.
To create a passkey for a website or application, a user first must register with that website or application. When they return to this website or app to sign in, they can take the following steps:
- Go to the application.
- Click Sign in.
- Select their passkey.
- Use the device screen unlock to complete the login.
You can only create passkeys on the websites or apps which support them.
While using Passkeys, you will need to log in to your desktop and Mobile device to the same Google account.
How Do Passkeys Work?
Passkeys are intended to be used through operating system infrastructure that allows passkey managers to create, backup, and make passkeys available to the applications running on that operating system. Passkeys are stored on Google Password Manager, which synchronizes passkeys between the user’s Android devices that are signed into the same Google account.
Users are not restricted to using Passkeys on the device they are stored. The passkey saved on the phone can be used to authorize a web – login on another device present nearby, which means that (as Google has been keen to point out) an Android phone owner can sign into a passkey-supporting website from Safari on a Mac. They will get a pop-up of an OR code on the device to be logged in which can be scanned by your mobile device and then you will be logged into to your website or application. Whereas on mobile devices, you will get an option to choose your Passkey and unlock it using Biometric sensors.
This compatibility across platforms is possible because passkey technology is built on shared, underlying industry standards known as FIDO2 and Web Authentication Level 3 rather than being a proprietary technology.
Passkeys use public key cryptography. Public key cryptography reduces the threat of potential data breaches. When a user creates a passkey with a site or application, this generates a public-private key pair on the user’s device. Only the public key is stored by the site, but this alone is useless to an attacker. An attacker cannot derive the user’s private key from the data stored on the server, which is required to complete authentication.
Because passkeys are bound to a website or app’s identity, they are safe from phishing attacks. The browser and operating system ensure that a passkey can only be used with the website or app that created them. This frees users from being responsible for signing into the genuine website or app.