On International Password Day (yes, it exists, and this year it’s celebrated on May 4), Google has decided to do away with theirs. As of today it is possible to access a Google account using the new Passkey security standard, which uses the device’s biometric sensors as a guarantee of identity.
“Passkeys are a more convenient and secure alternative to passwords. They work on all major platforms and browsers, and allow users to log in by unlocking their computer or mobile device with their fingerprint, facial recognition, or a local PIN,” they explain. on Google’s security blog, where they announced the new feature.
The system is simple. If the user activates Passkey access, they will no longer have to use password and two-factor verification. Instead, when you want to access the account, you will have to verify your identity by unlocking the phone with the biometric sensor (via fingerprint or facial recognition) or a local PIN.
In doing so, the device sends a long, encrypted key that it stores in memory and is not accessible to the user. “Unlike passwords, access keys can only exist on your devices. They cannot be accidentally written or given to someone with bad intentions,” they explain from Google. Each device has a unique key and it can be revoked if the device is lost.
This system is fundamentally designed to be used from the mobile phone, a personal device and that has several security functions. Google does not recommend using Passkey on shared devices, such as a family computer, and it should certainly never be used on public computers.
The main advantage is that the user does not have to remember a password, nor does he run the risk of losing access in a phishing attack or if someone duplicates the phone line to intercept a two-factor authentication SMS. As they are automatically generated and encrypted keys, there is also no risk of the key being used in more than one service or application, something that users frequently resort to so as not to have to think of a new password each time but which is a common attack vector for cybercriminals.
The standard is supported by leading technology companies. Both Apple and Microsoft and Google itself have implemented Passkey on their platforms in recent years. Although the system has been running for a while, it still has a low adoption by the different services and applications.
The arrival of Google possibly a major boost to technology. From now on, for example, all Android phones will automatically create these Passkeys when accessing the company’s services for the first time and it will be the normal way to identify the user.
According to the criteria of The Trust Project