Google and other Big Tech companies have long had an antagonistic view toward passwords. It’s not hard to see why: Passwords can be guessed, accessed via previous data breaches, or just overcome via brute force. Most people reuse them across multiple accounts. Mandating regular updates to passwords has only made the problem worse; the inconvenience of needing to create new passwords every month or every few months has meant that users are more prone to stick to predictable patterns (password123! is followed by password456!).
Unfortunately, most attempts to replace the password have fallen flat. Despite being the cause for an estimated 80% of all data breaches, the concept of passwords are easy, non-proprietary, and baked into the structure of the internet itself. Any proposed replacement would need to overcome decades of inertia, user behavior and would represent a major overhaul of how we view internet account security itself–an ambitious undertaking.
Google has decided to tackle the challenge of replacing passwords on its ecosystem of services with a new passkey technology that it’s rolling out across multiple platforms. Rather than the standard practice of entering a password, passkeys create a pair of encrypted credentials, one which is stored on Google’s servers, and the other is stored on a user’s device.
“When a user wants to sign in to a service that uses passkeys, their browser or operating system will help them select and use the right passkey. The experience is similar to how saved passwords work today. To make sure only the rightful owner can use a passkey, the system will ask them to unlock their device. This may be performed with a biometric sensor (such as a fingerprint or facial recognition), PIN, or pattern,” explains Google’s announcement on its developer blog.
If this sounds arcane, it’s similar to the technology underpinning payment services like ApplePay, Google Pay and Samsung Pay: Tying authentication to a personal device and requiring input from the user to unlock said device creates something of a one-two punch, meaning a more secure login process that doesn’t require confirmation via SMS or a code delivered via email. From this standpoint, passkeys promise greater ease of use AND security.
While this sounds like an exciting leap and a possible means of closing a long-standing vector of attack for hackers, it should be noted that Google’s passkey setup is relatively new and may yield unforeseen difficulties and security gaps. The loss of access to a device could create an even larger headache for users if it’s necessary for account access.
We’ll be watching with interest to see how rapidly the technology is adopted and what the drawbacks are in comparison to the more familiar password / SMS-based authentication protocols that are better established. If passkeys do manage to put the final nails in the coffin of password-based authentication, the security benefits alone could be revolutionary. That being said, Google has a lengthy history of grand claims ahead of product and service launches that fizzle out with little fanfare (Google +, Google Wave, Stadia, etc.), so we encourage people to wait until the system becomes more entrenched.
Wondering if your systems are secure against password breaches? Not sure what passkeys are? Nodal can help! Contact us today!