Passwordless Google Accounts Are Here - You Can Now Switch To Passkey-Only

Google is taking a big step toward our supposedly passwordless future by enabling passkey-only Google accounts. From a report: In the blog post, titled "The beginning of the end of the password," Google says: "We've begun rolling out support for passkeys across Google Accounts on all major platforms. They'll be an additional option that people can use to sign in, alongside passwords, 2-Step Verification (2SV), etc." Previously, you've been able to use a passkey with a Google account as part of two-factor authentication, but that was always in addition to a password. Now it's possible to use a Google account with a passkey instead of a password.

A passkey, if you haven't heard of the new authentication method, is a new way to log in to apps and websites and may someday replace a password. Password entry began as a simple text box for humans, and those text boxes slowly had automation and complication bolted onto them as the desire for higher security arrived. While you used to type a remembered word into a password field, today, the right way to use a password is to have a password manager paste a random string of characters into the password box. Since few of us physically type in our passwords, passkeys remove the password box. Passkeys have your operating system directly swap public-private keypairs -- the "WebAuthn" standard -- with a website, and that's how you get authenticated. Google's demo of how this will work on a phone looks great -- the usual box asks for your Google username, then instead of a password, it asks for a fingerprint, which unlocks the passkey system, and you're logged in. Google's passwordless support is headed for consumer devices right now, while business Google Workspace accounts will "soon" have the option to enable passkeys for end users.

What could go wrong using the same biometrics?

[Fajita King]

Lets just use our biometrics to log into everything. What could possibly go wrong?

Re:

[kqs]

Given how many people use the same password on multiple accounts, biometrics won't be any worse.

This "passkey" is less secure than a good password-per-site plus a second factor of course. But it will be more secure than the mediocre passwords that many folks use, and it will be easier to use. So I'm cautiously optimistic about this.

Re:What could go wrong using the same biometrics?

[DarkRookie2]

I doubt it will be easier. From the article.

To quote the FIDO Alliance page, passkeys are "synced to all the user’s other devices running the same OS platform" [emphasis ours].

All well and good if you are like that, but my phone is Android, work computer Windows, and home desktop Tumbleweed. This sounds like I will have a royal pain in the ass. Not only that, my desktop doesn't have biometrics and its out of the way on the work laptop, and I am not trusting the iPod with ability to view porn online as a security device.

Re:What could go wrong using the same biometrics?

[ChatHuant]

Given how many people use the same password on multiple accounts, biometrics won't be any worse.

Even with reuse, a password can still be changed in some emergency situation - even if it involves effort and can be a bit of a pain (intellectually). What if you find you need to change your fingerprints? Even if you could, the pain wouldn't be limited to the intellect...

Re:

[spth]

You can't. Sanding off fingerprints or etching off with acid have been tried by wanted criminals to escape the police. But the fingerprints just regrew to the same pattern as before.

Re:

[dirk]

Well, if you are going for silly scenarios like that, all they need to do is change the finger they use. If someone magically find a way to mimic your thumbprints and get into the phone, just change the other thumb. That gets hacked, you have 8 other fingers.

Re:

[burtosis]

That gets hacked, you have 8 other fingers

Not common knowledge, but run outta those and there are a few more dangly bits you can use.

Re:

[sjames]

Drink one glass of anything and 5 of the 10 available prints are captured in one go.

Re:

[jbengt]

Well, if you are going for silly scenarios like that, all they need to do is change the finger they use.

At the airport I regularly do work for, most of the newer security points require workers to tap their badge and put their index finger on the fingerprint scanner. That routinely fails, and if it keeps failing after cleaning the scanner, the security guard asks you to switch to the other index finger, which usually works. I wonder if all these web fingerprints will fail as often, or if maybe they're le

Re:

[kqs]

Since it uses your phone or laptop, and the fingerprint scanners on my phone and laptop seem to work 95% of the time (and a second attempt works if the first one failed), I assume it will be fine.

Re:

[ewibble]

That just means I can't change my username, seriously if you aren't in total control of the scanning device once someone captures your face of fingerprint they have it forever.

Re:What could go wrong using the same biometrics?

[AmiMoJo]

How often do we see fingerprint cloning attacks? They are basically spy movie nonsense. Impractical for all but the most capable adversaries, and even then difficult to execute against modern sensors.

Note that this doesn't send your fingerprint to Google or anyone else. A secret is stored securely in the phone, and the fingerprint simply authorises the secure storage to perform some public key crypto with it. The secret never leaves your device either. If a website using the system gets hacked, it only affects that website as the key is different for every one.

Obviously if you are concerned then use a password as well, but those can be hit and miss due to often very poor rules on length and content. Using both is recommended.

Re:What could go wrong using the same biometrics?

[narcc]

Fingerprint attacks are trivial to execute. A determined teenage could do it. As could a suspicious romantic partner.

Not only do you leave your fingerprints everywhere, but back in 2008 the CCC was able to capture a fingerprint from a photograph.

Let's also not forget that police don't need your permission to use your own finger to unlock your phone. That alone should make it a non-starter.

Re:

[cbm64]

Fingerprint attacks are trivial to execute. A determined teenage could do it. As could a suspicious romantic partner.

Not only do you leave your fingerprints everywhere, but back in 2008 the CCC was able to capture a fingerprint from a photograph.

Let's also not forget that police don't need your permission to use your own finger to unlock your phone. That alone should make it a non-starter.

But they would need the key-pair on your device TPM chip as well? That token is what fingerprint unlocks. That combination is hardly trivial to hack.

Re:

[narcc]

But they would need the key-pair on your device TPM chip as well? That token is what fingerprint unlocks.

The police can just use your finger. Everyone else can make a fake fingerprint. It's a fun and easy 'quick craft'.

Re:

[cbm64]

I wasn't as much referring to police level attempts as the claim this was trivial for a teenager to hack. Having access to you and your device is a very different security situation than hacking accounts over the internet, which is a several order of magnitude bigger risk.

Re:

[narcc]

Most people aren't all that important. If someone wants access to their phone, it's usually the police, a lover, or a family member. Again, it's trivial to bypass a fingerprint lock.

As for hacking over the internet, there are many, many, other vectors. The fingerprint side doesn't enter into it at all.

Re:

[cbm64]

As for hacking over the internet, there are many, many, other vectors. The fingerprint side doesn't enter into it at all.

Well that is exactly what it does when it replaces passwords and make hacking over internet that much more difficult. Password hacking over the internet is a several order of magnitude bigger security problem today than people with local access to device and person.

Re:

[narcc]

Fingerprints don't help with that problem at all.

Re: What could go wrong using the same biometrics?

[cbm64]

So your claim is that remote over the Internet mass hacking of fingerprints is as easy as same is today with passwords?

Re:

[narcc]

I'm saying you don't understand the problem.

Re:

[cbm64]

The problem is passwords and how easily compromised they are at scale, remotely over the net, automated, in reality today. Your fingerprint criticism keep narrowing down the problem and examples to having local physical access to both person and device. An order of several magnitudes smaller problem.

Re:

[narcc]

Fingerprints won't help with that problem.

Re:What could go wrong using the same biometrics?

[unfortunateson]

Also please remember that police can demand your fingerprint and other biometrics, but currently do not have the right to demand your passwords.
I'm not a criminal, but in case I ever want to be one, I'd prefer not to make it easy to have my information accessed by The Man.

Re:

[kqs]

This is the first reasonable objection I have seen to the "passkey" idea. Most objections are random "Look, Ma, I'm sooooo smart!" complaints, but this one is valid.

Basically, "passkeys" seem to replace bad passwords (think of people who use the same password on all of their accounts). If you use a password manager, don't use passkeys. If you use 2FA when you are not forced to, don't use passkeys. If you know to never EVER talk to police, don't use passskeys. But for 80+% of people, a passkey will be w

Re:

[layabout]

Law enforcement will love this. If they want to compel you to reveal the password, they need a court order, however, if you protect your data with biometrics, no warrant is needed. Cops can force you to use your biometrics and you have no legal right to refuse.

Re:

[Methadras]

I think a password system is still better for a couple of reasons 1) Only you are the one that knows your password (theoretically). If you share it, well, you deserve any misery coming your way. 2) If you forget your password, there are ways to retrieve it. 3) If those ways fail, then no one has your password nor do they have access to your files, email, whatever. The downside to biometric/passwordless input is government. Meaning, if you are arrested or detained, they can use your eye, face, or fingerprint

Never used one...

[cayenne8]

While I've heard of password managers...I've never used one.

How common is it with the slashdot crowd?

The article then says unlock your passkey with biometrics....no thank you.

I don't use biometrics either...so far, passwords work just find for me.

I see no reason to change.

Re:

[Fajita King]

Password managers are pretty common if your working with something where you want a bit higher security and have a need to share administrator passwords. Are they perfect? No - and they are literately the keys to the castle. Do they make life easier? Yes Do they make an environment more secure? It depends on how they are managed.

Re:

[kqs]

I use a password manager (with "cloud" storage) for 95% of my passwords. It's a slight drop in security, and a major jump in reliability, usability, and share-ability (I can share certain passwords with my wife). I've decided the trade-off works for me.

A password lets you use different complex passwords for every site, including sites you access once every two years.

Re:

[im_thatoneguy]

The article then says unlock your passkey with biometrics....no thank you.

You don't actually unlock directly with your biometrics. You store a key-pair on your TPM chip. Then you retrieve the token on your TPM and send that.

Hackers would need your biometric data and your keystore/TPM hardware to retrieve the token and even then as soon as you lost your device and reported it lost you can invalidate all keys that were on the hardware.

This is exactly how almost every web-api works these days.
You authenticate and generate an API-Key that then can renew itself to request a new API

Re:

[cayenne8]

You don't actually unlock directly with your biometrics. You store a key-pair on your TPM chip. Then you retrieve the token on your TPM and send that.

I don't want to use any biometrics for any purpose....ever.

Re:

[paralumina01]

I use a notebook.

Re:

[narcc]

A popular solution was / is to have some standard way to modify a complex password you've already memorized. Whatever rule is comfortable. Something like the third and fourth characters are the same as the first and third characters in the domain and adding a special character based on the length. It keeps all of your passwords unique and still easy to remember.

Re:

[sean-it-all]

Not the right question. Here's a dozy: What will happen to the people who have to manage your estate? Will they be locked out of everything while the bank pretends you're not dead. Or will they login and cancel everything. https://www.justvanilla.com/bl... [justvanilla.com]. It solves the rotation problem for me and allows me to check if I've reused it everywhere. Device based are more secure than browser based so depending on the nature it may only get stored in one. I would prefer device based as well as it's something I

Re: Never used one...

[bradley13]

I imagine most /.ers use password managers. You should use a different password for every website or service. That way, if one site gets hacked (or you get phished), the damage is contained.

But one *good* password per site is impossible to remember. By now, I have accumulated hundreds of passwords. Add in site-specific rules for those passwords, and I cannot imagine life without a password manager.

FWIW I recommend an offline manager, such as Keepass. I don't totally trust the online managers - one malici

Re:

[PIC16F628]

I use a local (not cloud based) password manager - It's a highly useful - I have so many passwords - I would have never remembered them otherwise. Plus it generates random ones as per user-defined policy etc.

How can I recover my passkeys when I lose them?

[cyronix99]

What happens if my harddrive fails, my phone gets locked and all data is gone? How can I recover my passwords?!

Re:

[kqs]

Same way if you forget your sufficiently-complex password and you lose the paper with all of your passwords. Security is unreliable, reliability is insecure, pick the trade-offs that work for you. Given how terrible password are, "passkeys" are likely to be an improvement; they sure cannot be worse!

Re:

[AnOnyxMouseCoward]

Here's the deal though. You can reuse the same password, with slight variations, and if you use the same password you won't forget it. And you can even make it super long, so that it's really hard to crack (because I hate the "8 characters, one is a caps, one is a symbol, one is a number" crap). Example, "mypasswordissuperlong1010Slashdot" vs. "mypasswordissuperlong1010Gmail". Okay sure, if a database gets leaked, people will know my password, and then they'll manually have to change the last word with what

Re:

[kqs]

Sure. If you already have a reasonably-sane password policy, or if you voluntarily use 2FA, then don't use passkeys: you are NOT the target audience. The target audience is the 80+% of humanity who re-use the same password in multiple places, will not use a password manager, and think 2FA is way to complex. The target audience is the 80+% of humanity who only have a lock code on their phone because Apple and Google force you to add one. If you ever think about security trade-offs then passkeys are proba

Re:

[SirSlud]

*if* you use passwords, where "you" is the average user, "you" have a high chance of having a very lousy password policy or system or whatever. Hence general best practice, aimed at all users, is to use passkeys over passwords. "Don't have sex if you don't wanna have a kid" is an airtight policy if people followed it, but they don't.

Real solutions engage with the world the way it is, not the way we wish it was - and the way we wish it was can often be boiled down to wishing humans were rational actors. They

Used to have a google account, once

[Anonymous Coward]

Until it got randomly disabled. Walked away and never looked back.

Large corporations are not proper arbiters of identity.

Re:

[BeaverCleaver]

Large corporations are not proper arbiters of identity.

Amen.

Security Fallacy

[CptnBlood]

Your thumbprint, much like your face, is a user ID not a password. This is a much less secure way to go about things. The keys may be longer and more complex, but the number of access vectors to the keys just shot through the roof.

Re:

[aldousd666]

It's more secure than a userid, but less so than a password. To wit, you have to 'have' it, as opposed to just 'knowing' it.

FIDO authenticator levels

[serafean]

First off - what happens when I lose access to all my devices?

Now the details:
Passkey uses FIDO underneath, FIDO authenticators have certification levels. [1]
Event to get "only" L1 certified, one has to shell out $6000.
The Level required is set by the party requesting authentication (in this case Google).

How could this work if I want to use/write an opensource authenticator app? Could Google deny access through it? (yes, it could, from experience: NitroKey isn't L2 certified, my country's e-govt refuses to

Re:FIDO authenticator levels

[ctilsie242]

I've been figuring this one out myself. Right now, I have YubiKeys, and have some offsite, so if I lose my device, my place burns down, or I have to evacuate, I have something to go on.

At least right now, Google allows TOTP keys to be used. These are a decent standard, and there are many, many apps which can use them. I use one password manager for passwords, and another for the TOTP shared secrets. At least these work, and if you choose your program carefully, can be backed up and saved off, so if your sync gets corrupted, you still can reload your TOTP stuff. The old-school six digit Google Authenticator is still a solid performer. Yes, FIDO keys are more secure, but having the app for a backup can ensure your access can be recovered.

What would be nice is to have some type of recovery standard that isn't device focused. Perhaps a Password Card [passwordcard.org] would be nice. Something that can be taken offline and filed with paperwork. Or, perhaps a device whose sole function in life is to be a recovery key. It would have an e-Ink display, get power (and no data) from a USB port, and when one typed in a challenge code, it would pop up a response code, so it wasn't time based. Something simple that could be tossed in a safe, drawer, or other secure place and forgotten about until a recovery is needed.

Something you know vs. something you have

[Tokolosh]

In the US, the government can compel you to provide something you have (fingerprint, passkey). But it cannot compel something you know (password).

Choose carefully

Re:

[uncqual]

The question of if you can be compelled to provide "something you know" (a password for the sake of discussion) is not fully resolved.

In some cases the courts have considered the password to be like a physical key - a piece of evidence which you can be compelled to produce (with a warrant of course). I.e., just like a piece of paper that you had written the password on which unquestionably would be subject to seizure and usable as evidence with a proper warrant and search.

Sometimes the question is if the pr

Re:

[sean-it-all]

There are some nasty laws on this where you can disappear for 2-3 weeks in some western countries with no court hearing for being a terry. At that point it's likely you can be compelled to hand over whatever password you're protecting. what constitutes a terry, we'll anything under the sun that we don't like.

Re:

[dohzer]

Time to memorise my fingerprints I can't be compelled to provide them. Checkmate, Obamna!

Not just "No", but ...

[fahrbot-bot]

then instead of a password, it asks for a fingerprint, which unlocks the passkey system

Hell no. I like my accounts locked with "something I know", that I don't have to divulge. Not a fan of all my accounts being accessible by simply supplying a fingerprint, or facial recognition, or something not otherwise (legally) protected.

Re:

[uncqual]

Passwords are not necessarily "legally protected". The case law on this is unsettled and will likely remain so at least until the Supreme Court rules on it. See my comment responding to the comment prior to yours.

40 years in IT has "erased" my fingerprints

[okvol]

Forty years of typing in IT, and the local police department could not take my fingerprints for IT certification for handling police data. I tried to setup a fingerprint for my phone, but it failed multiple times, just like the livescan system the local PD used. My point is, not everyone has usable fingerprints.

Re:

[Radical Moderate]

This. We have a system at work that uses fingerprints and a code for access, won't read my fingerprint. My phone usually can, but it's kind of spotty.

Re:

[fahrbot-bot]

Forty years of typing in IT, and the local police department could not take my fingerprints for IT certification for handling police data. I tried to setup a fingerprint for my phone, but it failed multiple times, just like the livescan system the local PD used. My point is, not everyone has usable fingerprints.

I had this happen way back when I had to be fingerprinted to work at NASA Langley. My fingers were roughed up from working on my car and I had to wait a week or so for them to heal/clear up so they could take good prints. It would suck now to be locked out of my accounts for that.

Re:

[SirSlud]

Using your fingerprint is an *option*, not a *requirement* for passkey proof. So if you can't use it, you can't use it. Use another method.

They want MORE control over us?

[BeaverCleaver]

Google already knows where we go online (thanks to the dominance of the Chrome browser), where we go in the real world (thanks to the location tracking in Android, which is *very* hard to turn off completely, plus the location sharing in Chrome), everything we type (well, almost everything, thanks to gmail and swipe typing on Android), everything we see (thanks to youtube). Most people have at least one of android phone, chrome browser, gmail account or youtube.

Does anyone except Google really think it's a good idea to give Google control over our passwords too?

So, are fingerprints secure or not?

[zephvark]

Google appears to be claiming that fingerprint scanning is secure and reliable, here.

However, every time they push an OS update to my Android phones, I am required to log in with a password. They won't accept a fingerprint. If you've forgotten your password, the update just bricked your phone! Cool!

Possibly, they should be looking at removing fingerprint support, rather than removing password support.

Question

[NotEmmanuelGoldstein]

... which unlocks the passkey system ...

So how do I get my "passkey system" onto an office computer? And off it, when I'm finished.

This is obviously a "something you have" technology, bringing all the same old problems: What happens when it is stolen? What happens when I get a new laptop/phone? What happens when I'm using an unsecured (public/office) device?

I'll bet the answer will be sign all your devices into the one account (and log-out to maintain 'privacy'):
Google Chrome and its automatic "save your password" means I can access the

Not passwordless...

[JasterBobaMereel]

Just a password you don't know, and can't enter manually ..

passkeys across Google Accounts. hacked???

[bsdetector101]

passkeys across Google Accounts.... How soon will it be, before Google passkeys are hacked ? Sooner or later, everything is broken into. Remember how highly touted Crypto/Bitcoin/usage was at being secure and untraceable ! I'll bet $1 million Bitcoin on it (which I don't own...yet).

seriously? only a few still type passwords?

[blastard]

"Since few of us physically type in our passwords"

What seems to be happening is these people are living in a bubble with others who act like them and believe they are seeing the whole picture.

Where I live, most of us still type in our passwords. Many use password managers but many do not. I will not speculate as to precise percentages, but the number that still type in passwords is hardly just a few.

Re:

[account_deleted]

Comment removed based on user account deletion