Google is getting closer to making passwords obsolete. The solution is called “Passkeys,” which are a unique form of password that is stored locally on your phone or PC, just like a physical security key works. The passkey is protected behind a layer of authentication, which could be your fingerprint or face scan – or just an on-screen pattern or PIN.
Passkeys are fast, compatible with all platforms, and save you the hassle of remembering passwords for websites or services you’re subscribed to. There is less room for human error and the risk of 2-factor authentication code interception is also reduced.
Developed in collaboration with Microsoft and Apple, Google is now taking the next step in bringing passkeys into the mainstream by making them the default log-in option. You won’t be forced to give up your normal log-in methods, but if you haven’t already enabled a passkey, you will be bothered the next time your Google Account is used for a sign-in request. .
Why are passkeys better than passwords?
Passkeys use what you might call a digital handshake, which involves creating a pair of passwords using cryptographic methods. One is stored with the app or web service, while the other resides with the user, protected by an on-device password or biometric authentication. There is no two-factor code involved, and all you need to do is tap a prompt on your device to allow identity verification.
Trevor Hilligoss, who previously worked as a security specialist with the FBI and currently handles security research at SpyCloud, tells that passkeys are “strong by nature, and that’s why many security teams use them for defense.” “I like this way.” The biggest advantage here is that they don’t get dumped in data breaches like your average alphanumeric password. This is a problem for several reasons as a worryingly large number of digital citizens reuse the same password, or a supposedly modified form of it, across different services.
Passkeys are faster (up to 40% according to Google), secure and more convenient. But Hilligoss cautions that they’re not exactly a silver bullet for digital security. “Cyber criminals are increasingly adopting this technique, shifting their focus from stealing account credentials to account recovery methods, developing tactics to steal passkeys and launching attacks such as session hijacking.”
Passkeys are good, but they’re not perfect
Hilligoss points to a technique called session hijacking — also known as cookie hijacking — where a hacker tries to take control of your online browsing session to steal sensitive data. Basically, bad actors fool a website into thinking it is a legitimate user. When a person visits a website, a session ID is created which often remains active for several days.
This session data is stored in temporary session cookies as numbers and letters, and it remains in the browser until the user logs out. Hackers can steal session IDs by injecting scripts into web pages, intercepting network traffic, deceptively installing malware on a victim’s device, or simply using pattern prediction.
“Once an attacker hijacks a web session, they can do anything the original user wants, including purchasing items, stealing confidential personal information, or accessing bank accounts,” says Hilligoss. In such attacks, it does not matter whether sign-in was permitted using a traditional password or passkey.
What does this all mean to you
Passkeys are tied to Google Password Manager, while Apple brings iCloud Keychain into the picture, meaning Passkeys are also synced across devices. By default, Google also automatically creates a passkey for freshly activated Android devices. However, as we increasingly leave passwords behind, hackers are also moving forward with more sophisticated techniques.
Passkeys also won’t stop other types of cyberattacks, like deployment of malware in various forms, a scammer impersonating a bank officer on a phone call (hello, generative AI hell), social engineering attacks, and more. Passkeys solve only one aspect of the security flaw, but they are a panacea for all.
Digital literacy will still be of paramount importance in the coming years as third-party services are slowly adopting Passkey. Hulighaus suggests that one should prefer app-based 2-factor authentication, keep changing passwords at regular intervals, double-check URLs and links received and be cautious about phone calls from unknown numbers.
“Proper cyber hygiene and having visibility into your online accounts will go a long way in staying ahead of cyber criminals,” he concludes.