No need for a password to connect to a Google account or service! The digital giant now allows the use of access keys (passkeys), a more reliable and simpler technology for all its services.
Is a future without a password coming soon? In any case, this is the path that Google seems to be taking, which is taking a new step in the deployment of passkeys – also called access keys. Since May 3, 2023, the billions of users of Google services can adopt this method of authentication, via biometric sensors, smartphone lock PIN or physical authentication electronic keys, and completely abandon their passwords. and their verification codes to connect to their accounts, as the firm proudly announces in his press release. To do this, simply go to this address, to connect to his account with his usual identifiers then to click on “Use access keys”. To add an additional access key for another device, simply click on “+ Create a security key” – a key which will therefore be stored on the device used.
Access keys: securely sign in to your Google account
Google account passkeys are stored on any compatible hardware – namely iPhones running iOS 16 and Android devices running Android 9 or higher – and can be shared with other devices from within the operating system using services like iCloud or some password managers. To use another person’s device to temporarily access their Google Account, select the “Use a password from another device” option to create a single sign-on. Please note that you should not create an access key on a shared device, because its real owner would then be able to access the Google account whenever he wishes. In case of theft, loss or infiltration of the device, it is quite possible to revoke the security keys in the settings of your account.
While it will take some time for passkey support to gain widespread adoption, this announcement significantly advances their adoption due to the size of Google and the scale of the implementation. For now, user accounts will continue to support existing login methods, such as passwords – this is a transition period of sorts. The Mountain View company plans to promote this new technology in the coming months and start encouraging their users to convert their credentials into passkeys.
Access keys: the solution to replace passwords
But why seek to create a future without a password? Quite simply because of their flaws, which are only too well known. Indeed, they are often too weak, reused on several sites and accounts, and can be compromised after a successful phishing. Solutions have been put in place to overcome these weaknesses, such as double authentication – which is not infallible – and password managers – which can be hacked – but the risks still exist, especially at this time. where pirates are showing more and more imagination. It’s been a while since the FIDO Alliance – a consortium of leading technology companies, government agencies, service providers, financial institutions, payment processors and other industries, including Apple, Amazon, Microsoft, PayPal and Google (see our article) – are working on a technology aimed at eliminating the use of passwords: passkeys!
After Apple announced that it wanted to introduce them with iOS 16 and macOS, Google in turn allowed developers in October 2022 to start implementing this authentication technique on Android, via the beta version of Google Play Services and the Canary version. of Google Chrome. For Diego Zavala, Android Product Manager, and Christiaan Brand, Account and Security Product Manager, the deployment of passkeys was a great step forward because they “cannot be reused, do not leak into server loopholes, and protect users from phishing attacks”, as they explained on the Android Developer Blog.
By using passkeys, the user chooses a device – logically his smartphone – as the main authentication system on sites and applications. When registering or changing the means of connection, the smartphone creates two encrypted keys: a public one which is sent to the service provider, and a private key which remains stored in the phone and will allow the website or authenticate it by unlocking the device through its smartphone authentication mechanism – PIN, pattern, facial recognition or fingerprint. To simplify, instead of entering a password, just use the usual method of unlocking your main device. And voila ! The smartphone passkey can also be used to connect to a site via another device – like your laptop. All you have to do is scan the QR code displayed on the site with your smartphone. Eventually, thegoal is to allow passkeys to be used across different platforms – Windows, macOS, ChromeOS, Android and iOS – so that, for example, a Chrome browser user on Windows can authenticate to a site using a stored passkey on an iPhone.
Concretely, on a daily basis, the use of passkeys does not change anything for the user. Indeed, there are already standards for connecting to applications or sites using one of their devices – such as confirming via their smartphone that the connection does indeed come from us, or by pressing a particular number that is poster on it. However, you must always log in at least once with a password to be able to activate this login function. And that does not prevent you from being able to recover access to your account thanks to your identifiers – which can therefore be hijacked. But the use of passkeys also raises some drawbacks, especially when you want to replace your Android smartphone with an iPhone – or vice versa – or when the device is stolen or broken. You then have to either manually copy your passkeys to the new phone – which is quite tedious – or request new access codes after all the services, proving your identity each time… developers can test this simple and secure authentication method on Google Chrome and Google Play Services since November 2022, by creating an application programming interface (API) allowing their use of passkeys on Android applications. In the meantime, it is better to create a secure password.