back to article Go ahead, forget that password. Use a passkey instead, says Google

Google wants to take us further into a passwordless future by allowing personal account holders to login using passkeys rather than using passphrases and multifactor authentication (MFA). Passkeys are the latest hope for allowing organizations and regular folk to move away from passwords. And when we say passkeys, think of …

  1. CatWithChainsaw
    Facepalm

    Oh boy here we go

    Yubikey-like solutions can be burdensome to carry around, easily stolen/broken, and puts authentication in the hands of the companies who manufacture them. Same deal with any token-generating dongles.

    We never learn with biometrics. Fingerprint works until you slice your thumb or burn your finger, FaceID works until you get in a nasty scrape and have a plum for an eye.

    Whether SMS or device-associated passkey, such moves make always owning one or more devices, the large majority proprietary, ever-more ingrained in modern life. I imagine anyone who is so down on their luck that they not only have no home but no electronic devices would find passkeys an utter nightmare to navigate if they can only get online at a public library, on a device they shouldn't "trust" or save credentials to.

    All these articles go to great lengths to list the weaknesses of passwords, but at least with passwords the "proprietary"-ness of the solution is fully your own to control. And maybe end users should have some responsibility to create and protect strong password solutions, lest we sink even further into learned helplessness, salvation only brought by daddy microsoft?

    1. Sora2566 Bronze badge

      Re: Oh boy here we go

      Apple and Google are working on making that "token-generating dongle" be your smartphone. And while there's still issues about proprietary hardware and biometrics not recognizing you... these are the same problems we already have with our smartphones. The goal here is to make those the *only* login-related problems, rather than those *plus* all the problems with passwords.

      1. Roland6 Silver badge

        Re: Oh boy here we go

        > Apple and Google are working on making that "token-generating dongle" be your smartphone

        Your mobile phone is increasingly becoming a “too big to fail” single point of failure…

        The laugh is, having had a teenager drop their phone in a lake after an involuntarily swim, we recovered most of their Apple and Google accounts by using a password they had remembered…

      2. mpi Silver badge

        Re: Oh boy here we go

        > rather than those *plus* all the problems with passwords.

        The problem with that goal is that now there is a new problem: That my ability to authenticate myself is now dependent on some giant corporation or similar entity.

        Yes, passwords have a lot of problems. But they are MY problems. It's me causing them, and me solving them, and when I forget my password and lose my keychain and can no longer access my devices, it's because I messed up, not because something entirely outside of my control happened while I'm just a helpless bystander.

        And because of that, I will keep my passwords, I will keep my FOSS password manager, I will keep doing things like generate my own pub/priv keypairs, I will keep managing syncing all that to my devices myself. I don't care if that works for the "typical user", I care if it works for me, which it does. And if someone offers me a service that I cannot access using those methods, well, then I guess that service and me will not become very acquainted to one another. Plenty of other fish in the pond.

        1. Anonymous Coward
          Anonymous Coward

          Re: Oh boy here we go

          Plenty of other fish in the pond. --- I'm pretty sure the end goal is to suck up all the air and de-oxygenate the pond, so the other fish die.

      3. LybsterRoy Silver badge

        Re: Oh boy here we go

        I only bought a smartphone this year and I'm 72! The only reason I gave up on my Doro was that I'm diabetic and was offered the chance to move to Freestyle Libre thus removing the need to stick a needle in my finger several times a day.

        A neighbour I go dog walking with (same age range) doesn't have a smartphone. My wife doesn't, nor does my dog walking mate's wife. Once we've all died out it may be worth doing something like the article proposes, but not until.

        Forgot to mention. I use my smartphone for phonecalls and checking my glucose levels - that's it.

      4. CatWithChainsaw
        Facepalm

        Re: Oh boy here we go

        Sweet. Summer. Child.

        If you set up a passkey, your options are biometric and/or trusted devices. Those devices are often mobile phones, because this is becoming a phone-centric world, and phone platforms have been locked down from the beginning, unlike desktop computing platforms. As someone else said, making phones a single point of failure is stupid. Making phones a requirement to participate in society once again punishes poverty and forces humans to align with machines/corporation nation-states rather than the other way around - the tools have become the masters. Proprietary software is really just icing on the cake -pick between Apple or Google OS, pick one of only a few vetted authentication apps, pick your silo. There is no motivation to make it easy for people to break out of that silo, so good luck getting passkey auths to be "universal".

        Phones are locked with either biometric data, unlock patterns, or PINs. Locking with biometric data makes it easier for law enforcement to force your phone open. Locking with patterns/PINs makes it easier for criminals to force your phone open (although it may take more time).

        Let's take the scenario where a person's ONLY trusted device/passkey holder is their phone. Regardless of whether they use biometrics or device TOTP or whichever, they *cannot* experience a discontinuity in the integrity of that phone, whether by breaking or stealing. If either, they have to go to an untrusted device to secure their accounts. How do they get in? Device passkeys are dead in the water, and then they better have set up biometrics as a backup, and hope the device the want to log in on has a compatible FaceID-reading camera or a fingerprint reader, which isn't that common on computers. The two most feasible options that come to mind are backup codes (how often do you keep those on you? Are they on your phone? Are they easy to memorize? Did you print them out multiple times and keep them in safe places? Are they accessible?) or security questions, which are basically just... passwords!

        In a world where both people had better password hygiene and companies protected passwords with the diligence they're supposed to, we probably wouldn't feel this need for passkeys. As it is, even if they're "more secure", the data has to live somewhere just like passwords do, and this will just pivot hackers' attention towards optimizing to attack passkeys instead. Maybe passwords will become the more secure authentication by virtue of everyone relying on passkeys.

        Remember when banks and credit unions insisted on using "voiceprints" to authenticate people when they called their services? And remember a few months ago when AI-generated spoofed voices started to become nearly flawless imitations?

    2. Joe W Silver badge

      Re: Oh boy here we go

      Brilliant idea...

      until you lose the device, or buy a new one, or it just stops working / is damaged / eaten by a grue. Will FOSS support the standard? Can I move the "passkey" to a FOSS device? Do the f'ing fingerprint sensors work under Linux - or do they rely on some secret sauce that is only available if you are a commercial entity producing an OS (= Microsoft or Apple)?

    3. Missing Semicolon Silver badge

      Re: Oh boy here we go

      Plus now all of the authenticating objects are stealable, physical things. A key is stealable. Your fingerprint is stealable.

      1. Arthur the cat Silver badge

        Re: Oh boy here we go

        Your fingerprint is stealable.

        Worse, your finger is stealable. Will they check for a pulse?

        1. Michael Wojcik Silver badge

          Re: Oh boy here we go

          I think most COTS fingerprint readers now do, but this is a legitimate concern. Does the thief know that a severed finger won't work? Worth trying, right?

          (The "check for a pulse" mechanism was primarily intended to defeat fake-finger attacks, not severed-finger ones, but that hardly matters.)

      2. Anonymous Coward
        Anonymous Coward

        Re: Oh boy here we go

        "Your fingerprint is stealable"

        Unless you work somewhere like a pineapple processing plant, 'cos enzymes in the juice tends to eat away your fingerprints...

    4. Wade Burchette

      Re: Oh boy here we go

      For some reason, my fingerprints never work on any fingerprint reader. Not the ones on the phones, past and present. Not the ones on the computer, both the old swipe and new ones. Not even expensive ones where you place your entire finger in. I can't be the only one. I bet the people behind this passkey thinking never even thought the people whose fingers for some reason do not work on fingerprint readers.

      1. vtcodger Silver badge

        Re: Oh boy here we go

        I'm sure that somewhere on line you can buy a cured and stuffed finger. Just use that and hang said finger on your keychain. Problem solved.

        1. Arthur the cat Silver badge
          Devil

          Re: Oh boy here we go

          I'm sure that somewhere on line you can buy a cured and stuffed finger.

          Or you could buy in bulk.

          1. vtcodger Silver badge

            Re: Oh boy here we go

            Buy in Bulk? What a great idea. With a few dozen of these things, you can probably open just about any biometric lock. The wealth of nations will be yours.

        2. Anonymous Coward
          Anonymous Coward

          Re: Oh boy here we go

          Would a rabbit's foot work?

          (bunnymetrics?)

      2. Anonymous Coward
        Anonymous Coward

        Re: Oh boy here we go

        My wife's $150 Samsung cellphone would not recognize her fingerprint. I tried registering mine on her phone and it worked fine first time. We tried over a dozen times with her finger but no go. I think it was probably too small a surface area. I expect people with edge-case biometrics and stubborn traditionalist Linux users who insist on self responsibility are simply going to get nudged off the edge a cliff. E.g., no way to access bank accounts online.

    5. Omnipresent Bronze badge

      Re: Oh boy here we go

      If someone can get into your phone, they can get to your passkeys. You might as well write them down in notes. This is about forced control, and why the hell would I give google and apple access to all my passwords? Give me a reason.

      1. DS999 Silver badge

        Re: Oh boy here we go

        Depends on where they are stored. On an iPhone they are stored in the Secure Element, the contents of which you cannot access even if you root/jailbreak the phone. Access to them is unlocked via your fingerprint hash or your phone's password, which are ALSO stored on the Secure Element. Nothing in the Secure Element goes to iCloud, it never leaves the phone.

        The Android hardware world is a lot more fragmented but AFAIK big OEMs like Samsung, as well as chipmakers like Qualcomm, provide similar solutions where I assume the passkeys will be stored. They won't be in a "file" in the filesystem.

        1. Omnipresent Bronze badge

          Re: Oh boy here we go

          IDk about cloud google hardware (I wouldn't use it.), but all you need to open up your keypass (passwords) on an iphone is the same thing that opens your iphone. This is useless and stupid.

        2. Anonymous Coward
          Anonymous Coward

          Re: Oh boy here we go

          > Nothing in the Secure Element goes to iCloud, it never leaves the phone.

          So, how does the "they can be backed up to iCloud" bit work then?

    6. DS999 Silver badge

      Where does Google say

      That you can ONLY authenticate with a fingerprint? You will always be able to authenticate with your phone's password, it is just less convenient to do. So your worry about slicing off your finger or whatever are pointless. You login with your password and enroll a different finger.

      Note I'm just commenting on this part of it and not on the scheme as a whole.

      1. CatWithChainsaw

        Re: Where does Google say

        You login.... with a /password??/

        HM....

        1. DS999 Silver badge

          Re: Where does Google say

          When you start your phone up that's the only way to login, Face ID isn't enabled because your password is needed to unlock the hash Face ID compares to.

          1. CatWithChainsaw

            Re: Where does Google say

            So we default back to passwords anyway, we just threw layers of cruft in between. What a great allocation of resources.

    7. Michael Wojcik Silver badge

      Re: Oh boy here we go

      Yubikey-like solutions can be burdensome to carry around, easily stolen/broken, and puts authentication in the hands of the companies who manufacture them. Same deal with any token-generating dongles.

      And smartphones are worse, since they are far more fragile, far more attractive to thieves, taken out far more often, far more inconvenient to share if you need to give someone else temporary access...

      And passkeys fail horribly for shared accounts, and for recovery by an appropriate person if the original user is unavailable for an extended period of time, or permanently. My wife and I have numerous shared accounts: bank accounts, a "house" email account, credit-card accounts, online merchant accounts, and so on. We've made various provisions for recovery if one of us has to wrestle a supervillain into an active volcano,1 but it's still going to be a huge pain in the ass. Being wiped out simultaneously by ASI would be kind of a relief.

      Hardware-based authentication has myriad failure modes. Yes, passwords are terrible authenticators. So is every other type of authenticator ever invented. This is a hard problem and the industry is not at all close to solving it.

      1Pretty sure this is the most likely cause of death for either of us.

  2. ChoHag Silver badge

    It's not getting rid of passwords. Nothing's getting rid of passwords. Passwords are not going away. This just takes control over them away from the people who own them.

    Gee where have we seen that before?

    A passkey, of whatever form, takes the idea of "a password locked up in your head" and replaces it with "a password locked up in some magical device".

    But by all means give Google more control over your private life. That's been going so well so far.

    1. Sora2566 Bronze badge

      While I agree that the current inability to move passkeys between tech ecosystems is their biggest weakness, calling them "a password locked up in some magical device" is a bit misleading. Said magical device won't ever send that "password" to a typosquatting domain, which kills entire swathes of attacks right there. Also, as they're a public/private key pair, you have pretty much no chance running dictionary, brute-force, or credential stuffing attacks.

      I'd call them "a password++ locked up in some magical device" myself.

      1. Roland6 Silver badge

        If you are lucky said magical device will be protected with a 6 digit passcode but more likely just a screensaver and so swipe left…

        However, when passkeys fail (and they do), regaining access to the relevant account typically involves a password…

        Yes, passkeys are useful, it they aren’t a credentials silver bullet.

      2. Michael Wojcik Silver badge

        Said magical device won't ever send that "password" to a typosquatting domain

        Unlike a password manager, which ... oh, hey, achieves exactly the same thing.

        Of course, sending a repeatable credential to a peer is a stupid way to authenticate in general, which is why we've had things like SRP, PAK, and SPEKE for years. Unfortunately most developers aren't willing to do the work to use them.

        1. Sora2566 Bronze badge

          Usually it's less developers being completely uninterested and more managers being completely uninterested... and if the developer somehow manages to get that through, the users being completely uninterested in learning a new way of doing things.

  3. Dan 55 Silver badge
    Devil

    Another Big Tech lock-in opportunity

    Passwords that only work on one multinational's ecosystem. What a time to be alive.

    KeePass got there first and allows synchronisation anywhere.

  4. Stephen Booth

    Passkey != MFA

    Yes passkeys are a great idea with many advantages over traditional password implementations. However its wrong to imply that an single encrypted-at-rest credential is somehow equivalent to multi-factor-authentication. The un-encrypted key is still potentially vulnerable to phone malware or key backup "features" introduced by the phone/OS vendor. Risks that can be mitigated by using multiple credentials from different devices.

    Its also worth pointing out that fingerprint biometrics are a fairly low grade security feature anyway. Anyone stealing a phone to obtain the passkeys will probably have no trouble obtaining copies of the users fingerprints. (Assuming that they can't just lift them off the phone itself)

    1. Kevin Johnston

      Re: Passkey != MFA

      quote "Assuming that they can't just lift them off the phone itself"

      Perfectly demonstrated by Mythbusters who lifted a fingerprint off a CD case to open a fingerprint coded lock with a bit of sticky-backed plastic and a 100% success

      As commented above, fingerprints are one of the weakest form of biometrics which are most easily damaged and stolen.

      1. DS999 Silver badge

        Re: Passkey != MFA

        Mythbusters did that a decade ago, against a lock that was using technology that was a decade old at the time. It would be interesting to see them try to attack a modern phone's fingerprint reader / facial ID. I very much doubt it will be as easy as it was even if they still managed to get in on their own (i.e. before they called in experts who understand how the systems work and know where their weaknesses are)

        1. Michael Wojcik Silver badge

          Re: Passkey != MFA

          COTS biometric sensors have improved, but that only addresses one part of the attack tree. Biometrics have a lot of terrible failure modes. They're miserable authenticators. Any key you can't rotate is a lousy authenticator, frankly.

          In the US, biometrics also have big legal drawbacks.

          1. M.V. Lipvig Silver badge

            Re: Passkey != MFA

            "In the US, biometrics also have big legal drawbacks."

            And to that, I continue to say that the only use anyone should have for a biometric lock is to trigger a phone wipe.

        2. M.V. Lipvig Silver badge

          Re: Passkey != MFA

          Anyone here with a fingerprint passkey device can test that right now if they like.

  5. Potemkine! Silver badge

    Depending on a mandatory second device to log in sounds a bad idea to me.

    1. vtcodger Silver badge

      A bad idea?

      Of course it's a bad idea. There's are reasons that physical safes generally depend on combinations (something you know) rather than keys (something you have). Do you think being a dubious idea is going to prevent or even delay implementation?

  6. mpi Silver badge

    Google wants to take us further into a passwordless future

    I bet they do. But it's not gonna happen.

  7. Barry Rueger

    <cough> Battery?

    And again, what happens at the airline check-in when your battery goes dead?

  8. Anonymous Coward
    Anonymous Coward

    wait, thats less secure surely?

    " When you create a passkey on a device, anyone with access to that device and the ability to unlock it"

    So, surely thats LESS secure? Currently, if someone steals my device they still need to a) access it and then b) enter passwords. In this new world, once they have unlocked my phone or laptop or whatever, they have access to everything...

    1. MachDiamond Silver badge

      Re: wait, thats less secure surely?

      "Currently, if someone steals my device they still need to a) access it and then b) enter passwords."

      If they can steal your phone after you have unlocked it, it's not that hard to plug a device into it so it remains awake and unlocked. You make yourself a target if you put your phone down in a public place. One criminal gets your attention when another is in position to grab your phone when you take your attention away from it.

  9. Pascal Monett Silver badge

    So, the smartphone is the password now

    Biometric, schmiometric. All this is just trading a biological weakness for a hardware weakness.

    The passkey is tied to the device ? Great. Lose or break your smartphone and you've just lost all your accesses permanently.

    I can create a passkey on my non-laptop PC ? Great, as soon as I upgrade it that passkey is toast. And installing such a thing on a Windows system is madness in the first place. Or are you actually expecting Borkzilla to handle that 100% efficiently ?

    Oh well, passwords still work, they say. Good, because I'm sticking to that. And good luck to the phishing attempt that tries to get my password. Yes, I'm a savvy user but, more importantly, I know that there is nobody that needs any of my passwords, so there should be nobody who asks. And if they do ask, the answer is chocolate.

    The answer is always chocolate.

  10. Jamie Jones Silver badge

    Usability failures

    -- My mother can't shop online with Sainsburys because they insist on sending a text to her mobile before they let her log in, and she can't see things like that. I did mention it to them, they gave the usual "for your protection" blah.

    Her actual bank account is protected via a phone call back, so she can use asdas or tescos instead.

    Apparently, sainsburys are worried about someone hacking her account, and ordering 10 pizzas - THAT THE HACKER PAYS FOR - TO HER ADDRESS.

    -- I often can't use paypal when I'm out, because it insists on SMS callback on login.

    -- I had to remove my phone number from amazon (so now I don't get text updates on delivery) as it was the only way to stop them demanding 2FA to log in when I'm over my mums with no mobile signal.

    1. Dan 55 Silver badge

      Re: Usability failures

      You can add TOTP 2FA to your Amazon account, and that means there's no SMS 2FA.

      1. Jamie Jones Silver badge
        Thumb Up

        Re: Usability failures

        I have to admit that I didn't know about this. Looks interesting...

        I still believe in the premise of my rant though. Besides, there's no way in hell that anyone would ever guess my password "123456"!

        Cheers.

        (Not my downvote!)

  11. Falmari Silver badge

    1FA > 2FA?

    How is passkey more secure than 2FA? To me that looks like 1FA.

    My university email requires 2FA to access it. I start outlook on my PC, and I am then asked for my password followed by the 2FA. Which requires me to login (pin number) to my phone and get the code from the authenticator app. So access to my email requires 1) my password 2) my phone and to be able to log in.

    But with passkey access to my email would just require my phone and to be able to log in. How is having just the device (phone) more secure than having to have the device and the password?

    I sure the answer from Google is that passkey is more secure because it can’t be or copied from the device etc. That’s only true and someone does, and some will it is just a matter of when.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like