Google has announced that passkey support will soon be available on both Android and Chrome as part of the search giant’s efforts to usher in a passwordless future.
Even if you use one of the best password managers to generate strong, complex passwords for each of your online accounts, you can still get hacked. This is because many online services use two-factor authentication (2FA) to further secure your accounts.
The problem with 2FA or even multi-factor authentication (MFA) is the fact that hackers can use SMS-based man-in-the-middle attacks to steal the one-time passcodes sent over text to login to your accounts. This can be done by bribing someone at your wireless carrier through a process known as SIM swapping.
By bringing passkeys to Android and Chrome, Google aims to further secure your online accounts in a similar way to how Apple did by adding passkey support to iOS 16 and macOS Ventura.
What are passkeys and how do they work?
For those unfamiliar, passkeys are unique digital keys that are a safer and more secure alternative to traditional passwords since they can’t be reused and are stored in an encrypted format on your devices.
Since they aren’t stored on a web server in the cloud, if a company falls victim to a data breach, your passkeys won’t be exposed. Unlike with security keys, you don’t have to bring an additional device with you as they are stored securely on your phone or computer.
Passkeys are based on public key cryptography in which a secret private key is stored on your devices while a public key is stored on a web server. As hackers can’t easily gain access to your private key, your devices and accounts are much more difficult to hack.
You can try Passkeys in Google Password Manager
According to a new blog post (opens in new tab) from Google, the Google Password Manager backs up and syncs passkeys on Android. If you happen to have two Android devices – say one of the best Android phones and one of the best Android tablets – the passkeys created on one device are also available on the other.
Passkeys in Google Password Manager are also always end-to-end encrypted. When a passkey is backed up, its private key is backed up using an encryption key that can only be accessed from your devices. While this helps protect passkeys from hackers, it also prevents Google from accessing them.
If you want to use passkeys in Google Password Manager, you will need to set up screen lock on your Android device first. This is done to prevent others who may have access to your smartphone from using one of your passkeys.
When it’s time to sign in, you can use your saved passkeys along with your fingerprint, face or screen lock. Likewise, you can also use passkeys on your Android device to sign into a site on Chrome with your desktop or laptop. In this scenario, you need to use your phone to scan a QR code on your computer to securely sign in.
New phone, no problem
As passkeys are stored on your phone, what happens when you want to upgrade to a new device? Fortunately, when you set up a new Android device, your end-to-end encryption keys are securely transferred when you move the rest of your apps and data to it.
It’s worth noting that in some cases such as when an older device is lost or damaged, you may need to recover your end-to-end encryption keys from a secure online backup according to Google. To do this, you will need to provide the lock screen PIN, password or pattern from another device that has access to those keys. If you need to restore passkeys on a new device, you will need to be signed into your Google Account and an existing device’s screen lock.
Google has also made it more difficult for hackers to try and brute force your lock screen PIN or pattern. After 10 incorrect attempts to use screen lock on an existing device, it can no longer be used. However, you can still use screen locks from your other existing devices.
Moving to a passwordless future
Google moving away from passwords is nothing new. In fact, Google, Microsoft, Apple and other tech giants are members of the FIDO Alliance and the World Wide Web Consortium (W3C) which have been working to help drive adoption of secure authentication standards for years now.
However, with the introduction of passkeys on Android, Chrome, iOS and macOS and with Microsoft planning to bring them to Windows in the near future, the password as we know it may finally be dead.
Not sure what this is saying. If it's saying that the phone stores the private key for an auth request originating on a desktop, I don't think that's the case. The phone serves as a biometric presence because a lot of desktops don't have biometrics, but a phone isn't required for webauthn. Phone and desktop set up a BT connection, which handshakes to open a more secure connection, but that doesn't transfer a private key to the phone in a desktop scenario.
This is explained better here
Ars Technica: Death to passwords: Beta passkey support comes to Chrome and Android.
Oh yes, they did:
2022 (along with google and apple)