\n<\/p>\n
For those of us who\u2019ve spent a quarter century memorizing passwords \u2014 reworking pet names, birthdays and sports teams into our sign-in credentials \u2014 it\u2019s easy to yearn for simpler times. Plus, filling our heads with random numbers and special characters is an imperfect defense. A decade of data breaches, hacks and phishing attempts have transformed passwords from a person\u2019s first line of defense to their primary security vulnerability.<\/p>\n
To help, along with Apple and Microsoft, we announced last year that we would support a new sign-in standard created by the FIDO (Fast IDentity Online) Alliance that would allow people around the world to enter a \u201cpasswordless future.\u201d This joint effort to create a safer alternative to passwords is rooted in passkeys \u2014 and starting today, you can sign up for passkeys using the “skip password when possible” prompt in your Google account.<\/p>\n
Passkeys are a new feature on computers and smartphones that securely log you into your accounts across the web by using biometrics like a fingerprint or face scan, or a screen lock PIN. No more remembering passwords for every one of your accounts on apps and websites \u2014 passkeys take care of securely completing authentication with a service on your behalf.<\/p>\n
While we welcome a more secure future, as with any new technology we had a few questions. To get answers, we sat down with Google Security expert Christiaan Brand. Read on for an informative Q&A with Christiaan, which has been edited for length and clarity.<\/p>\n
In simple terms, what is a passkey?<\/b><\/p>\n
A passkey is a FIDO credential stored on your computer or phone, and it is used to unlock your online accounts. The passkey makes signing in more secure. It works using public key cryptography and proof that you own the credential is only shown to your online account when you unlock your phone.<\/p>\n
To sign into a website or app on your phone, you just unlock your phone \u2014 your account won\u2019t need a password anymore.<\/p>\n
Or if you\u2019re trying to sign into a website on your computer, you just need your phone nearby and you\u2019ll be prompted to unlock your phone \u2014 which will then grant you access on your computer.<\/p>\n
You talk about a \u201cpasswordless future\u201d \u2014 will passkeys really replace passwords?<\/b><\/p>\n
Yes, passkeys will replace passwords. It\u2019s even broader than that. I\u2019d say our vision for passkeys is to not only get rid of passwords, but also eliminate all the Band-Aids the industry has designed to make up for the fact that passwords are so vulnerable.<\/p>\n
And by \u201cBand-Aids\u201d you mean challenge questions like \u201cWhat was your high school mascot?\u201d or \u201cWhat is your mother\u2019s maiden name?\u201d<\/b><\/p>\n
Yes, but even more sophisticated fixes like multi-factor authentication, SMS messages, or authenticator apps. For example, we built the Google Authenticator App to give people an extra layer of security on the web. Passkeys will replace all of this.<\/p>\n
We rarely hear the word \u201cpublic\u201d and \u201ccryptography\u201d in a single phrase \u2014 how does it actually work?<\/b><\/p>\n
Public key cryptography has been around since the 1970s \u2014 the web is built on it. In the 1990s, Netscape developed encryption based on public keys called Secure Sockets Layer \u2014 or SSL \u2014 as a means of authenticating websites and ensuring user privacy. Secure websites all have them and it\u2019s how you can identify whether a website is authentic and what it claims to be.<\/p>\n
So it authenticates websites \u2014 but how does that authenticate people?<\/b><\/p>\n
Passkeys are similar to SSL, more recently called TLS. But instead of systems authenticating each other, a person has the corresponding private key on their device. The cryptography portion of this is that the website can confirm that the user\u2019s device \u2014 which biometrics confirm is in their possession \u2014 has the passkey. Because of the cryptography the server never actually learns what the user\u2019s passkey actually is. That\u2019s the magic of public key cryptography. It can validate you without knowing anything about you. It just confirms you are who you say you are.<\/p>\n
So if this cryptography has been around since the 1970s, why have we been memorizing passwords since the 1990s?<\/b><\/p>\n
Public key cryptography needs computing power. Up until about 2010, most people weren\u2019t walking around with computers in their pockets.<\/p>\n
That\u2019s what smartphones are. Pocket computers. And while smartphones have been perceived as vulnerabilities, passkeys can transform them into the biggest shift for online security in decades.<\/p>\n
OK, but if you lose your phone, can the person who finds it use your passkey?<\/b><\/p>\n
No, because the phone is only part of it. In the past, logging onto a secure website required two things: You just had to have a machine to access the internet; and you needed to remember something, like your password. That means that if someone got your password all they needed was access to the internet \u2014 from anywhere.<\/p>\n
Passkeys are an evolution. They authenticate that you<\/i> are in possession of your device, and that you are the one accessing your account. It\u2019s zero-trust in that it requires that something about you must be true<\/i>. That\u2019s more secure and simpler for people.<\/p>\n
Your fingerprint, your face: the ability to unlock your device \u2014 these things and your device must be in your possession. If someone gets your device, they can\u2019t do anything with your passkey. And if you lose your old device containing your passkey, you can easily create a new passkey on your new device.<\/p>\n
And you can have more than one passkey on multiple devices?<\/b><\/p>\n
Yes, you can have many passkeys and even have passkeys on devices shared with your family. That\u2019s one of the big leaps. The cryptography means passkeys \u2014 however many you have, and wherever they are stored \u2014 are only useful to the user.<\/p>\n
This seems like one of the first security advances that require people to do<\/b> less<\/i><\/b>.<\/b><\/p>\n
That\u2019s true \u2014 and that\u2019s part of the zero-trust innovation. Since we all have a lot on our minds, we can focus on other things while simultaneously being more secure.<\/p>\n
On innovation. They say \u2014 I think \u2014 that great innovations solve familiar problems. At their best, innovation means the problems that worry us will make our children yawn. What everyday security concerns do passkeys solve that will make my children yawn?<\/b><\/p>\n
Three things that fall into that category:<\/p>\n
First, passwords getting stolen. We hear every week about some company getting hacked and passwords are stolen. Since people often recycle passwords across the web, that can give bad actors access to a lot of different accounts \u2014 email, banking, social media. Passkeys stop that.<\/p>\n
Second, authentication is imperfect and time consuming. Authentication means that even if someone gets ahold of your password, they would still need another piece of data. It\u2019s why we built the Google Authenticator App. The app helped mitigate data breaches. But that still<\/i> means a person has work to do \u2014 and it puts the burden on the individual user. It\u2019s time consuming. The user shouldn\u2019t be so alone in security and authentication \u2014 and for a couple of decades they largely have been.<\/p>\n
Third, kids will look back on \u201cphishing attempts\u201d as amateur theatrics. Phishing is when someone sends you an email, it looks official, and you click on the link and you start typing your credentials. Phishing attempts have grown more sophisticated and sometimes people will not only be tricked into giving their username and password, but authentication info and other personal details. Plus, phishing also puts the burden on users to determine how credible an email or website looks. That\u2019s not very technical. Passkeys can solve the phishing problem.<\/p>\n
One question a lot of people will have \u2014 and that concerns biometrics like fingerprints and facial recognition. Do you think people should be concerned about biometrics working with their device to empower passkeys?<\/b><\/p>\n
None of our modern devices, laptops, smartphones or desktops \u2014 even those that use biometrics \u2014 can package biometric info and send it to the cloud. Modern smartphones aren\u2019t built to share biometrics. It\u2019s always local and on your device. Even if your device gets stolen, the thief won\u2019t have your biometrics to activate the passkey.<\/p>\n
We know that new technology takes time to earn trust and achieve widespread adoption. We also live in an age when lots of new digital novelties sort of masquerade as breathtaking innovation. How can people be sure passkeys are worth their time?<\/b><\/p>\n
They can set up passkeys next time they\u2019re prompted by a service. Spend a little<\/i> time, and then save a lot<\/i> of time and mental energy after that \u2014 and be a lot more secure.<\/p>\n<\/div>\n