Passwords are a bane of the internet. But until now, it’s the preferred way for apps and websites to authenticate us.
The good news is that the FIDO alliance has been working on technology to replace passwords for years, for good. It also has the support of Apple, Google and Microsoft, which control the main platforms for smartphones and computers.
And this year, things have accelerated. During the WWDC conference, the Cupertino company announced the adoption of this new technology, called “passkeys” on its smartphones and computers.
Today, it’s Google’s turn to adopt this connection without a password. The announcement was made on the company’s developer blog. Starting today, Passwordless Login is rolling out to its Android operating system and Google Chrome browser.
Before offering the connection with passkeys to users, developers can test it on Google Play Services beta, or on Chrome Canary. Then, the technology will be supported by the stable versions of these platforms (therefore, for use by the general public), before the end of the year.
How it works ?
Pending Android and Chrome updates that will replace passwords with passkeys, Google gives an overview on its announcement.
Generating the passkey when creating an account is very simple. The user confirms the information he has given, then he only has to use the fingerprint scanner, the facial recognition system, or the screen unlock code, to create the passkey.
And to connect, the user only has to choose an account (if he has several on the site), then identify himself using the fingerprint scanner, for example.
If he wants to use his account on a computer, the system is similar to that of Apple. The user only has to scan a QR code with the smartphone on which his passkey is stored.
Google also explains that using a passkey on Android will be similar to using a password, when it is saved on the smartphone. Indeed, the operating system interface will be the same.
And like passwords, passkeys are synced to Google’s password manager. Thus, these will be kept if the user loses their smartphone, and synchronized between devices using the same Google account.
Regarding compatibility with other platforms, Google specifies: “Because the passkeys are based on industry standards, it works across different platforms and browsers, including Windows, macOS and iOS, and ChromeOS, with a uniform user experience.”
The difference between passwords and passkeys?
With passwords, you identify yourself by entering a series of characters. Passkeys use a system of cryptographic keys.
In essence, when creating an account protected by a passkey, a public key and a private key are generated. The first is kept by the site or application you use while the second is kept on your device (and synchronized with your Google account).
When you identify yourself, you must prove that you are in possession of the private key. And for that, you just have to identify yourself on your smartphone (so you don’t enter these keys).
Compared to traditional passwords, this system has many advantages. The first is practicality. Indeed, you no longer have to memorize a password and therefore, it is the end of simple words of the type “1 2 3 4” or passwords that are reused on several accounts, which makes these vulnerable accounts.
Another advantage, the passkeys protect you from data leaks. Indeed, if a website or an app you use is the victim of a data leak, your private key will not be affected by this leak.