The Password is Dead!

Despite some pessimistic predictions on how long it would take for passkeys to gain a foothold, and the danger of quantum cryptography to break them, on May 3rd Google announced and launched its new authentication system called Google Passkeys which removes the need to enter a password or 2-step verification when logging into a Google resource.

Image: SGeek

The primary benefits to this methodology are (the obvious) not needing to remember a password while obtaining enhanced security and privacy in a more user-friendly format. As the Verge points out, it does this with a passkey added to each local device connected to the service then login occurs in combination with biometric authentication such as a fingerprint or Face ID, but the biometric data isn’t shared with Google. However, you can still temporarily authenticate using the passkey to someone else’s device without sharing or downloading your passkey to that device.

After establishing a passkey on my Android phone, when attempting to login to my Windows laptop I was presented with the image below. After selecting Continue, using Cross-Device Authentication, I was given the option to scan a QR code (For those of you that have read my past articles you can image how I wasn’t thrilled about that) from my phone’s camera, then a passkey was placed on my laptop. It was actually pretty simple to setup, taking all of maybe a minute.

I was using the Edge Browser on my Windows laptop, so it worked just fine, but as we can see in this matrix, not all platforms, or browsers are currently supported.

Source: Passkeys.dev

Google Passkey is similar to Apple Passkey, but unlike Apple’s offering, it will work across more platforms. Though it also does not currently work on Firefox MacOS and…

Another complaint provided by users is that when using a Bluetooth connection to transfer the passkey during cross-device authentication the connection is sometimes unreliable and may end up in an unsuccessful transfer.

For those that still rely upon passwords, but like to use a Password Manager, Dashlane is already supporting this new capability. This brings up the point I’ve seen in several locations online that for some users it seems easier to auto-populate a password from a password manager, than use a passkey. While the use of strong passwords via a password manager is better than easy-to-remember or repeated passwords entered manually, the user is still subject to having the master password compromised, so a passkey would present a significant increase in security even for those users.

If you are interested in setting up Google Passkey on your devices and giving it a try, head over to PCWorld where they have some easy-to-follow instructions. After a week of using it I think you’ll find it to be a much easier solution to a longstanding problem.