The FIDO (Fast IDentity Online) Alliance’s security industry has been working on a way to replace passwords due to people’s preference to reuse or use weak passwords which poses a big security risk to not only the user but also their data. Two-factor authentication (2FA) has helped to address this, but “passkeys” are the way of the future, with Android and Google preparing to enable them.
When this technology is implemented, signing in to a web service will no longer require the use of a password. This includes auto-filled passwords, which is a frequent feature of password managers embedded into today’s browsers and operating systems. The FIDO technique, on the other hand, makes use of cryptographic keys. End users just unlock their devices before signing in (passcode, fingerprint, face unlock, etc).
During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge.
Furthermore, instead of passwords, “passkeys” will be saved on your device and synced with the operating system’s cloud sync service. According to new strings in the newest version of Google Play services, passkeys; which is also the name Apple will use are saved to your Google Account (probably using a similar Password Manager – version 22.15.14).
<string name=”fido_passkey_welcome_title”>Hello passkeys, goodbye passwords</string> <string name=”fido_passkey_welcome_text”>Passkeys provide better protection than passwords \u2013 and they\u2019re safely saved in your Google Account. <br/><a href=%1$s> Learn more </a></string>
The user still needs to remember their primary Google Account (or Apple ID) password, especially when switching devices, but in the future when using the passkey, there will be the only one that is needed to be remembered.
Just like password managers do with passwords, the underlying OS platform will “sync” the cryptographic keys that belong to a FIDO credential from device to device. This means that the security and availability of a user’s synced credential depends on the security of the underlying OS platform’s (Google’s, Apple’s, Microsoft’s, etc.) authentication mechanism for their online accounts, and on the security method for reinstating access when all (old) devices were lost.
Work on Play services is still in progress, and third-party adoption is a must for everything to work. As seen in “Hello passkeys, goodbye passwords” and the cover image above, the string today suggests Google will make a pretty user-facing push encouraging passkey adoption.
More information on the progress of this will be given in the coming days.
Also, Read: ZenBook 14X Space Edition: Launched now!