Highlights:
- A passkey-based login system uses the user’s device for authentication rather than a username and password.
- The technology is founded on a method of encryption known as public-key cryptography.
Users will be able to sign into Google LLC services using passkeys, a new authentication credential meant to be more secure than regular passwords.
Recently, Google introduced the feature. The company has already begun sending passkey support to consumer accounts and stated that Google Workspace will receive the feature “soon.”
A passkey-based login system uses the user’s device for authentication rather than a username and password. Google’s technology implementation is compatible with personal computers and mobile devices. Users using Google accounts just need to protect their devices with a lock screen password or a biometric authentication technique, such as a fingerprint scanner.
The technology is substantially more secure than passwords, according to the description. Passkeys, unlike passwords, cannot be remotely stolen by hackers. Physical access to the user’s device is required for a hacker to obtain a passkey, which is substantially more difficult than commencing a phishing campaign.
Arnar Birgisson and Diana Smetters, Google engineers, stated, “Unlike passwords, passkeys can only exist on your devices. They cannot be written down or accidentally given to a bad actor.”
The technology is founded on a method of encryption known as public-key cryptography. Public-key cryptography has been utilized for decades and serves as the foundation for a vast array of cybersecurity systems. Among other technologies, it powers the HTTP protocol that connects browsers to websites securely.
Public-key cryptography requires two components: an encryption algorithm and a piece of information known as a public key. Users enter the public key into the encryption algorithm, which can then scramble data. These files can only be decrypted using a so-called private key, a string of numbers and letters that serves as a password.
The new login feature of Google engages the technology for authentication. To access a Google account, a device must decrypt a fragment of data encrypted using public-key cryptography. The private key, the passkey kept on the user’s computer or mobile device, is required for decryption.
A computer science construct known as a one-way function forms the theoretical basis of public-key cryptography. One-way functions are computations that are straightforward to execute but extremely challenging to reverse engineer. In the case of Google’s new login feature, hackers cannot predict a user’s passkey.
Google says that users who enable passkeys will no longer be required to use two-factor authentication or passwords due to the enhanced security of the technology. However, the latter two authentication methods will continue to be supported.
Hackers can access Google accounts by stealing and unlocking devices using passkeys. The search engine will enable users to remotely revoke passkeys via the account preferences page to mitigate this risk.
Google’s new authentication system mitigates additional categories of threats. Theoretically, users can lose access to their online accounts if they abandon the device containing their passkeys. To mitigate this risk, the technology enables the synchronization of a single passkey to multiple devices or the generation of unique passkeys for each machine.
Birgisson and Smetters said, “If you create a passkey on your iPhone, that passkey will also be available on your other Apple devices if they are signed in to the same iCloud account. This protects you from being locked out of your account in case you lose your devices and makes it easier for you to upgrade from one device to another.”
Google is among the tech titans implementing passkey support for their services. Microsoft Corporation and Apple Inc. both announced plans to make the technology more accessible to their respective consumers in May of 2017. An increasing number of additional businesses are implementing passkeys.