After Apple, Google adopts passkeys to replace passwords. Developers can already test this simple and secure authentication method on Google Chrome and Google Play Services.
Is a future without a password coming soon? It must be said that their flaws are only too well known: they are often too weak, reused on several sites and accounts, and can be compromised after a successful phishing. Solutions have been put in place to overcome these weaknesses, such as double authentication – which is not infallible – and password managers – which can be hacked – but the risks still exist, especially at this time. where pirates are showing more and more imagination. It’s been a while since the FIDO Alliance – a consortium of leading technology companies, government agencies, service providers, financial institutions, payment processors and other industries, including Apple, Amazon, Microsoft, PayPal and Google, see our article – are working on technology to eliminate password usage.
And the solution could well come from passkeys – also called access keys! After Apple announced that it wanted to introduce them with iOS 16 and macOS, it’s Google’s turn to allow developers to start implementing this authentication technique on Android, via the beta version of Google Play Services and the Canary version. of Google Chrome. For Diego Zavala, Android Product Manager and Christiaan Brand, Account and Security Product Manager, the deployment of passkeys would be a great step forward because they “cannot be reused, do not leak into server loopholes, and protect users from phishing attacks”, as they explain on the Android Developer Blog.
Passkey: the replacement for the password?
By using passkeys, the user chooses a device – logically his smartphone – as the main authentication system on sites and applications. When registering or changing the means of connection, the smartphone creates two encrypted keys: a public one which is sent to the service provider, and a private key which remains stored in the phone and will allow the website or authenticate it by unlocking the device through its smartphone authentication mechanism – PIN, pattern, facial recognition or fingerprint. To simplify, instead of entering a password, just use the usual method of unlocking your main device. And voila ! The smartphone passkey can also be used to connect to a site via another device – like your laptop. All you have to do is scan the QR code displayed on the site with your smartphone. Eventually, thegoal is to allow passkeys to be used across different platforms – Windows, macOS, ChromeOS, Android and iOS – so that, for example, a Chrome browser user on Windows can authenticate to a site using a stored passkey on an iPhone.
Concretely, on a daily basis, the use of passkeys does not change anything for the user. Indeed, there are already standards for connecting to applications or sites using one of their devices – such as confirming via their smartphone that the connection does indeed come from us, or by pressing a particular number that is poster on it. However, you must always log in at least once with a password to be able to activate this login function. And that does not prevent you from being able to recover access to your account thanks to your identifiers – which can therefore be hijacked. But the use of passkeys also raises some drawbacks, especially when you want to replace your Android smartphone with an iPhone – or vice versa – or when the device is stolen or broken. You then have to either manually copy your passkeys to the new phone – which is quite tedious – or request new access codes after all the services, proving your identity each time… Google passkeys will be available for all Android and Google Chrome users in November 2022. Then all you have to do is create an application programming interface (API) to enable the use of passkeys on native Android apps. In the meantime, it is better to create a secure password.