Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Google Security IT Technology

Google Trials Passwordless Login Across Workspace and Cloud Accounts (theverge.com) 48

Google has taken a significant step toward a passwordless future with the start of an open beta for passkeys on Workspace accounts. From a report: Starting today, June 5th, over 9 million organizations can allow their users to sign in to a Google Workspace or Google Cloud account using a passkey instead of their usual passwords.

Passkeys are a new form of passwordless sign-in tech developed by the FIDO Alliance, whose members include industry giants like Google, Apple, and Microsoft. Passkeys allow users to log in to websites and apps using their device's own authentication, such as a laptop with Windows Hello, an Android phone with a fingerprint sensor, or an iPhone with Face ID, instead of traditional passwords and other sign-in systems like 2FA or SMS verification. Because passkeys are based on public key cryptographic protocols, there's no fixed "sequence" that can be stolen or leaked in phishing attacks.

This discussion has been archived. No new comments can be posted.

Google Trials Passwordless Login Across Workspace and Cloud Accounts

Comments Filter:
  • by Archangel Michael ( 180766 ) on Monday June 05, 2023 @10:13AM (#63577159) Journal

    CAN be spoofed. Further, the government can COMPEL you to unlock your device, and now your ACCOUNTS because they have ruled that isn't a fourth and fifth amendment don't apply to biometric passkeys.

    • by kqs ( 1038910 ) on Monday June 05, 2023 @10:39AM (#63577231)

      Yes indeed. If your threat model includes wealthy government agencies or if you have very good password+2FA discipline, please DO NOT use passkeys. They will be a net loss in security. You are not the target audience.

      If, on the other hand, you use similar passwords on different accounts and only set up 2FA when you are forced too, then please switch to passkeys. You'll get a net gain in security and convenience, the internet will have a net drop in hacked accounts, and life will be slightly better for everyone.

      Complaining that passkeys are not 100% secure is like complaining that seatbelts are not as good as a 5 point harness. Yes, we all know, nobody is claiming differently, but they are used in different circumstances.

      • Increasingly, people aren't allowed to choose what is best for their given situation. That's the real problem.

        I can't tell you how many times I've been "proactively" locked out of an account "for my security" and had to jump through hoops to get it back. It's nice that 2FA and other things exist, but if anyone forces you to use them, it's certainly not for your benefit.

    • by AmiMoJo ( 196126 )

      I doubt corporate customers care about that. Legal compliance is part of their business, and attacks on biometrics are extremely uncommon. Far less common than shoulder surfing, employees selecting poor passwords, passwords being written down, passwords being shared etc.

      You have to remember that the current state of corporate security is a shitshow, and stuff like this is a massive improvement.

      Obviously if you are an enemy of the state, don't enable biometrics.

      • by apparently ( 756613 ) on Monday June 05, 2023 @11:01AM (#63577305)
        > attacks on biometrics are extremely uncommon. Attacks on biometrics will only be uncommon as long as usage of biometrics is uncommon; as soon as usage becomes common, so will the attacks, and then what's your plan? Change your face and fingerprints?
        • by Zak3056 ( 69287 )

          Change your face and fingerprints?

          The auditors and cyberinsurance people will probably insist you do so, and that you do so a minimum of every 90 days. "Additionally, we recommend that all biometrics incorporate at least six fingerprints from multiple hands, three retina prints, and an additional authentication factor named "Vinnie" who will vet all access attempts and return a boolean response of "I dunno about dat guy" or "yeah, he's cool."

        • by zlives ( 2009072 )

          i think the bigger issue is that device authentication relies on device being not compromised. once the device is compromised, all your bases are lost.
          "instead of traditional passwords and other sign-in systems like 2FA or SMS verification."
          it is yet another factor in MFA if you care for security, not replacement.

        • by AmiMoJo ( 196126 )

          Biometrics are already common. Every phone has some form of biometric unlock. There is a massive market for unlocking stolen devices, accessing accounts on them.

    • PIN is okay for verification too.

      • PS. well theoretically that's sufficient for WebAuthn any way, Apple forces biometric for passkeys for their implementation.

        • Another issue I see with FIDO. The companies can pick and choose what ever method they want.
          They should have to support all of them.
    • by EvilSS ( 557649 )

      CAN be spoofed. Further, the government can COMPEL you to unlock your device, and now your ACCOUNTS because they have ruled that isn't a fourth and fifth amendment don't apply to biometric passkeys.

      So don't set up biometrics on your phone and you're good. Passkeys rely on your phone's security to unlock your device, it does not HAVE to be biometrics. If your phone supports PIN or a regular password then that is what you will use.

    • Even if they can't be spoofed - they're still not safe! Ie, walk away from your computer to go the restroom while at work, someone else sits down at your computer and now has password free access to you personal accounts! Same if you lose the phone while it's unlocked.

      This is a BAD idea! Yes, people make bad passwords, they reuse passwords, but this scheme is not improving the situation.

      Remember, rule one of computer security: Convenience and security do not mix! If you make a scheme more convenient th

    • CAN be spoofed. Further, the government can COMPEL you to unlock your device, and now your ACCOUNTS because they have ruled that isn't a fourth and fifth amendment don't apply to biometric passkeys.

      When the Top 10 Worst Passwords list reflects that humans will never learn no matter how bad the threat has increased to (e.g. identity theft), it tends to clarify why even half-assed biometric solutions are an improvement on that problem.

      I'd get used to machines doing it for you, because society isn't getting any smarter no matter how "educated" they are.

    • It isn't just this. Almost all 2 factor authentication as implemented by the big internet companies is not even about security and much less privacy. The 2 factor authentication mechanisms are all implemented in a way that forces you to tie an account to a REAL person... not just an online identity that you can choose allow someone else to access, or very easily couple and decouple from devices, locations or applications. 2 factor is fine and good as long as it doesn't force you into divulging your real ide

  • As it requires the device directly or to be within bluetooth range of the device doing the authentication and many desktops do not have bluetooth..

    • by bjwest ( 14070 )
      You can add a USB Bluetooth adapter to any desktop for less than $10.
      • by DarkRookie2 ( 5551422 ) on Monday June 05, 2023 @10:39AM (#63577229)
        My phone is not a secure trusted device. No matter how much Google says otherwise.
        • by MeNeXT ( 200840 )

          If I had mod points I'd figure out a way to give you all of them.

          My phone is the only device that I have no way to secure. Not only that, it's the only device that I have that I can't configure how I want it. I can't even configure it to keep my activity private.

        • Worse than that, a phone is a single point of failure. Almost every aspect of most peoples' lives go through a phone, and it's all wrapped up in a cozy walled garden you don't control.

          I don't have one, because I don't need one. Alas, there will probably come a point where I can't buy groceries unless I have one. My bank is already warning me that if I don't enable text somethingorothers, they may consider my account insecure. I'll probably have to switch to another bank... again.

    • by AmiMoJo ( 196126 )

      It doesn't require a wireless connection to the machine. If you are logged in on your Android phone it can display the authentication request via Google's cloud.

      • That doesn't sound sketchy in the least.
      • If you are logged in on your Android phone it can display the authentication request via Google's cloud.

        If I understand you correctly, you are saying that this is somehow not a security disaster waiting to happen. I must be misunderstanding you, though, because it clearly is a disaster waiting to happen.

        • > If I understand you correctly, you are saying that this is somehow not a security disaster waiting to happen. I must be misunderstanding you, though, because it clearly is a disaster waiting to happen.

          I really dont understand the knee-jerk negativity to anything new that is so common here on slashdot.

          Passwords are a terrible and honestly insane solution to remote network logins. They are the "mailing cash" of security design, and have been obsolete since the 80's.

          People have long since stopped using th

          • > People have long since stopped using them for SSH remote admin access in favor of public key authentication, which is much more sane.
            Agreed, I'm one of them. Doesn't make me reach for my phone, though. Works overseas when my phone has a local SIM, or when some sites refuse to accept GoogleVoice numbers.
  • I don't trust biometrics. They are immutable.
    I also do not what to deal with the pain in the ass that is having a password on my phone.
    Stop trying to my iPod and porn video viewer into a security device.
    • by kqs ( 1038910 )

      If you don't like passkeys, then don't use them. Nobody is forcing you.

      Passkeys are not straight biometrics. They are generally private keys in physically (mostly-)secure devices (something you have) gated with biometrics (something you are). They are not a secure as a good password plus a good 2FA, but they are far better than what most people use. Don't let the perfect be the enemy of the good.

      • This reads and past articles have read, that this will be the only option.
        • This is a deliberate marketing push because they are thinking people would understand easier if they're told you are logging in to a website with your fingerprint or face ID instead of logging in with some private key handled in various ways on the device which can but not necessarily include biometrics to secure it.

    • by gtall ( 79522 )

      i don't trust fingerprint scanners. I originally tried one on a mac laptop and it never would accept the first print. After that I figured if it was that dodgy, I didn't want my access to the device dependent on their finger print whizzy.

    • my...porn video viewer...device.

      (Narrator) "And millions of men stood conflicted over whether to deliver ridicule, or ask for the hardware specs in a porn-riddled world still crippled by keyboards..."

      • Samsung S10e. Nothing special. Got it because it was cheap. Total mistake. Samsung is so full of bloat, it isn't even funny. Shouldn't have taken that recommendation.
  • I hate Apple ... I don't particularly like Google. Google pushing passkeys when their greatest competitor has the only functioning passkey ecosystem across mobile and laptops/desktops pains me.

    They should get AndroidChromeOS passkey syncing working before pushing it on their services.

    • Supporting passkeys is not the same as pushing it.

      You have to start somewhere. The problem that we have with passwords is that we are asking every web service to keep our keys safe. Passkeys turns that paradigm around 180 degrees.

  • So, my reading on this:
    1. Is that you will need to have an expensive/insecure piece of hardware to access your accounts in future.
    2. Corps don't actually have to do all the methods. Just the ones they want. So Microsoft and Google could just refuse all authentication but their own. 3. It seems like this does not play nicely across device types and OSes. This seems like a complete pain in the ass.
    4. This seems far from complete but they are pushing it.
    • 1. You can also use a FIDO security key, so not dependent on a phone.
      2. The solution here is not to use Google/Microsoft to sign in to other 3rd party services
      3. From what I understand the main issue is with data export and synching. So, if you use passkeys on an iDevice, you might not be able to easily share the data with an Android device, for example. However, several password managers have Passkeys support in the pipeline and these do have inter-platform communication support.
      4. The passkey infrastructu

  • If your account has 2-Step Verification or is enrolled in the Advanced Protection Program, you will bypass your second authentication step by signing in with a passkey, since this verifies that you have possession of your device.

    Even if you sign out of your Google Account, once you create a passkey on a device, anyone who can unlock the device can sign back into your Google Account with the passkey.

    This continues a demand for a single device to unlock everything.

    Check what you need to create a passkey
    =================
    You can create passkeys on these devices [thus, using them to log-in]:

    • A laptop or desktop that runs at least Windows 10, macOS Ventura, or ChromeOS 109
    • A mobile device that runs at least iOS 16 or Android 9
    • A hardware security key that supports the FIDO2 protocol

    Your computer or mobile device will also need a supported browser like:

    • Chrome 109 or up
    • Safari 16 or up
    • Edge 109 or up

    To create and use a passkey, your device must have the following enabled:

    • Screen lock
    • Bluetooth (If you want to use a passkey on a phone to sign in to another computer)

    Use your passkey to sign in on a different device
    =================
    To sign in to your account on a computer, you can use a passkey created on a mobile device [via Bluetooth?].

    After you sign in, you may be offered to create a passkey on the computer. Remember to accept only if you own or control the [computer].

    No support from Firefox, a USB FIDO key will be required.

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...