Google Makes Passkeys the Default Sign-in Method For All Users (techcrunch.com) 230
Google has announced that passkeys, touted by the tech giant as the "beginning of the end" for passwords, are becoming the default sign-in method for all users. From a report: Passkeys are a phishing-resistant alternative to passwords that allow users to sign into accounts using the same biometrics or PINs they use to unlock their devices, or with a physical security key. This removes the need for users to rely on the traditional username-password combination, which has long been susceptible to phishing, credential stuffing attacks, keylogger malware, or simply being forgotten. While security technologies multi-factor authentication and password managers add an extra layer of security to password-protected accounts, they are not without flaws. Authentication codes sent via text messages can be intercepted by attackers, for example, and password managers can (and have been) hacked.
NO! (Score:5, Interesting)
Re: (Score:3)
Re:NO! (Score:5, Insightful)
Thing is, I don't USE biometrics, etc.
I use passwords/userIDs on all my devices, etc.
They don't take into account that not everyone uses a biometric?
the government gave up on mandating biometrics (Score:4, Informative)
I envision ultimately private industry will have to also. There are 508 issues associated with it, which will come up in ADA lawsuits in the private sector. I can deliver a password via a keyboard/screen reader, not so with a passkey.
Re: (Score:2)
Blind rigs, for one. I have a developer I work with who is blind. His reader setup is excellent. Everything more or less has to pass in as text though.
Re: (Score:2)
How does being blind stop you pressing the button on a security key or touching a fingerprint reader?
And even if somehow it did, why can't they use a password just because passkeys exist? How were they logging in before, if not via password?
Re:the government gave up on mandating biometrics (Score:4, Insightful)
Re: (Score:2)
A passkey is generally not biometric and can plug one into usb, NFC or Bluetooth to complete the authentication.
Re:NO! (Score:4, Interesting)
Re: (Score:2)
Most people already have a passkey - their phone. The same biometrics that let them pay for stuff, log into their banking app and so forth are used for passkeys.
On devices that support them, Google now defaults to using them. On devices without passkeys, they continue to default to passwords.
Re:NO! (Score:4, Insightful)
Not everyone uses b9iometrics on their phones.
I don't and no one I know (even in the tech industry) uses biometrics.
Hell, I know a LOT of people that don't use their phones to "pay" for things. I only recently started with the Apple Card since I could get 3% off large Apple purchases.
Re: (Score:2)
Re: (Score:2)
It works with just more than google you know. And they are quite sturdy. Have had mine for years dangling on my key chain with no issue.
Re: (Score:2)
What happens when the passkey dies?
Re: (Score:2)
The account remains permanently secured from unauthorized access for eternity :-)
More seriously, the only way I've heard of anyone getting a password reset etc. done at Google beyond what's available through online self-service is by having connections to a Google employee.
Re: (Score:3)
Re: (Score:2)
They don't take into account that not everyone uses a biometric?
Speaking broadly, authentication can happen in one of three ways, and two factor authentication simply adds a second method:
1) Something you know (e.g., password)
2) Something you have (e.g., TOTP [wikipedia.org], smart card, Yubi Key)
3) Something you are (e.g., biometrics like fingerprints, face id, etc.)
If you aren't using TWO of these on every account you care about, which, at a minimum, should be anything that touches money (including your e-mail), you are set up for failure. I'd have to read more into Google's imp
Re: (Score:2)
At least on OSX every attempt at using a passkey results in a biometric check so it's still 2 factor. A bonus is the passkey is unique to each device so it's easy to revoke when lost.
Re: (Score:2)
This is not my experience. I never setup biometric on my devices and have no issue using a passkey.
Re: (Score:2)
If you aren't using TWO of these on every account you care about, which, at a minimum, should be anything that touches money (including your e-mail), you are set up for failure
Why? What threat model is the basis of this sweeping generalization?
Re: NO! (Score:4, Insightful)
Re: NO! (Score:3, Insightful)
You know what has never been cracked? My passwords. If companies used proper passwords and security themselves, none of my accounts would be on haveibeenpwned.
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
It isn't more secure. Just makes things worse for the user.
I don't understand why, instead of this Rube Goldberg machine, we couldn't just use our own keys to log into sites ala what is done with ssh.
Re: (Score:2)
I always consider my ssh key just a really long password that's stored and used automatically for me. If someone gets into my ~/.ssh/ directory, it's kind of the same as breaking into my password manager.
Re:NO! (Score:5, Insightful)
True, but unlike a password, it can't be sniffed on the wire because it is never transmitted. It doesn't sit in a database out there in 'the cloud' waiting for the bad guys to steal the whole database either.
Most password problems today are:
SSH type public keys are vulnerable to none of those. You might trick a user into logging in once, but there is no way to replay the login later.
Re: (Score:2)
unlike a password, it can't be sniffed on the wire because it is never transmitted
A password does not ever need to be transmitted in the clear and these days rarely is. If you insist on active clients (i.e. Javascript), like Google does, then a password doesn't need to be transmitted at all. You can treat a password as a seed for public key cryptography, similarly to how your actual wifi pre-shared key isn't your wifi password but generated from it.
Resistance against sniffing is not the difference. What Google wants is that you can't easily choose bad credentials, tell someone what yo
Re:NO! (Score:4, Insightful)
True, but unlike a password, it can't be sniffed on the wire because it is never transmitted.
Passwords don't have to be transmitted.
https://en.wikipedia.org/wiki/... [wikipedia.org]
someone guessed a password.
This is mostly avoidable by imposing limits on authentication attempts.
user tricked into entering password on a fake login screen.
This is mostly a self own due to global adoption of insecure practice of allowing password entry into adhoc forms in the first place. In an alternate reality in which credentials were always entered via SAS and ZKP success rate of phishing would be severely curtailed. Even if you tried to login to the wrong site it wouldn't do an attacker any good.
someone stole a password database from some website
It doesn't sit in a database out there in 'the cloud' waiting for the bad guys to steal the whole database either.
At some level this all just devolves into a pointless shell game. The underlying reality is that all trust relationships are based on the successful guarding of secrets. If not the password database then it is an encryption key that is stolen and you still get owned.
There is an architectural problem with the way most "cloud services" are designed. The correct way to store credentials in application servers is to segregate authentication function from the application server such that once the application server is compromised its password database is worthless to attackers because the application server never had the means of decryption to begin with.
This of course punts the same problem to the authenticator. The difference here is these are less complex single purpose systems designed to much higher quality standards than the custom code written by the lowest bidder that comprise application servers.
What most people actually do is store one way hashes which predictably leads to disaster.
SSH type public keys are vulnerable to none of those. You might trick a user into logging in once, but there is no way to replay the login later.
SSH as typically used relies on an initial leap of faith. If that faith is misplaced the repercussions are by no means limited to a single login.
Re:NO! (Score:4, Informative)
Limiting login attempts slows guessing down but doesn't stop it. If the bad guy doesn't have a particular person's credentials in mind, making 1 guess a day on 10 million accounts is as good as making 10 million guesses a day on one account.
The only leap of faith required for ssh is that the host you connect to is one you want to connect to. But even if it's not, you aren't giving up your credentials to them, they can do nothing with your public key but authenticate your login.
There is a HUGE difference between having to trust dozens of websites to not leak their database or even ONE domain that maintains single sign-ons vs. having to trust only myself.
Re: (Score:3)
I don't understand why, instead of this Rube Goldberg machine, we couldn't just use our own keys to log into sites ala what is done with ssh.
Your own key to log in is exactly what a passkey is. It's just got access control and a pretty interface wrapped around the keys to make them more secure and more user-friendly.
Re: (Score:2)
Turning off 2FA and
Why would you turn off 2FA? You can share the secret in the QR code between devices. If Google Authenticator cannot do that (no idea, I have never used it), Aegis and other apps certainly can.
Re:NO! (Score:5, Insightful)
Why would you turn off 2FA?
Because 2FA fucking sucks! It turns what used to be an easy, straight-forward process into an exercise in hoop-jumping. My bank implemented that lame process, and now my login process has changed from:
1) Enter my password, done!
to
1) Enter my password.
2) Go to the computer that has my email (I don't use Web mail, as I don't want my email permanently stored on someone else's computers).
3) Write down (or memorize) the access code. This sometimes involved tracking down a pen and scrap paper, or looking for my phone to write down the code there.
4) Go back to the computer from which I've logged into the bank.
5) Enter the security code that was emailed to me. Finally done.
There are countless other scenarios just like this. Oh, and I can forget logging into my bank when I'm not at home since my email is intentionally only accessible from home. And no, using my phone (an insecure device by design) for 2FA would be stupid beyond excuse.
There is a very good reason why the humble password has lasted for so long. Nothing else even comes close to being as usable under the many scenarios in which it is needed.
2FA can go rot it Hell.
Re: (Score:3, Interesting)
So you're basically bitching about universal best practices because you don't want to have e-mail accessible from anywhere but home due to paranoia?
You could, if you were so inclined, host your own e-mail server and make it accessible via IMAP from your phone. No data on any device you don't own/control in this scenario. You could also dial the paranoia level down a bit and use a TOPT [wikipedia.org] on your phone, which, assuming it's any reasonably (last 5 years) recent Android or iPhone is secure enough to protect a
Re: (Score:2)
universal best practices
You mean the things the corps shove up our collective asses
Re: (Score:3)
You are the only person I have ever seen in 15+ years of working cybersecurity describe MFA as "corporations shoving it up our collective ass"
Re: (Score:2)
You are the only person I have ever seen in 15+ years of working cybersecurity describe MFA as "corporations shoving it up our collective ass"
The problem with MFA in the non-corporate world is that it doesn't exist for security reasons it exists to reduce the cost of "I forgot my password". When automated recovery procedures are factored in it isn't adding security.
Slightly changing the subject. Global normalization of the wholly insecure practice of clear text over TLS as an acceptable means of password entry rather than using a means of secure authentication with baked in impersonation resistance is responsible for much of the damage caused b
Re: (Score:3)
Re: (Score:2)
MFA exists because so many users are stupid.
If you think you're too smart to fall for a well crafted spear pfish you haven't been paying attention to developments in the security space.
I've seen plenty of smart people fall for pfishes. I've seen plenty of smart people fall for social engineering attacks. Your arrogance here may be your downfall one day.
Re: (Score:2)
Same boat here, buddy. MFA isn't a panacea. Twice so if people use the same phone for online banking that they use as the 2FA.
Re:NO! (Score:4, Interesting)
I never claimed it was a panacea. In fact, I never claimed anything, other than it complicates pfishing. That's the whole point.
I can share war stories of successful MFA compromises. I've got 1 of those stories for every 15 to 20 stories I have of incident response where there was no MFA.
Using the same phone for online banking has gotten people into trouble. It was covered in MSM earlier this year. Here's just one [businessinsider.com] story. If you're going to use your phone in public you need to exercise awareness of your surroundings, which is, sadly, something that most people are deficient at. If someone steals your unlocked phone (or, even worse, shoulder surfed your PIN), you are in deep trouble. That's the tradeoff for having your entire life contained in a portable device. It's why mine remains locked and out of sight in crowded situations.
Re: (Score:3)
Re: (Score:2)
you control your cell phone and all it does?
Re: (Score:2)
I control who can access it, unless you purpose to beat my PIN out of me with a $5 wrench [xkcd.com], which, genius of that comic notwithstanding, is not a significant worry for the vast majority of people. The vast majority of people need to harden themselves against low level scammers and pickpockets/grab robberies. Both Android and iPhone are ample for that use case if the user exercises basic common sense.
Re:NO! (Score:4, Interesting)
So you're basically bitching about universal best practices because you don't want to have e-mail accessible from anywhere but home due to paranoia?
So, you have to reduce your security in order to improve your security. Hmmm.
They say only the paranoid survive.
Re: (Score:3)
Paranoia is not served by only having e-mail on your computer at home. Properly configured, a modern phone is as secure as a modern computer. If want to take paranoia to the extreme, unless both are within your sight 24/7 and you've taken precautions against TEMPEST attacks, you're still vulnerable. Neither of those are attack vectors the average joe needs to worry about though.
Re: (Score:2, Insightful)
Properly configured, a modern phone is as secure as a modern computer.
That's impossible to know. The phone is running software that is known to none but the makers.
Re: (Score:2)
And you've personally audited the 27+ million lines of code in the Linux kernel and the millions more in all the user space GNU/other FOSS tools on your Linux box?
At some point you have to take things on faith, backed by the millions of other people using your platform of choice, after following standard hardening steps.
Re:NO! (Score:4, Insightful)
2FA is good, but use open standards, and without going through the Internet. My bank insists on 2FA over their phone App.
I don't have a store-compatible phone, their app won't work through Aurora. I'm stuffed.
For work we use 2FA solution that sends requests over the internet, my work desk is in a poor wifi reception area (work PCs are always cabled, phone has no plan, as its only function is 2FA.), so 2FA notifications don't come until i wave the phone around until the push server is found again.
Here I won't complain that it requires an app, as the phone is employer provided. Highly annoying.
From what I've read about passkeys, it seems they might be a solution to this, but...
FIDO maintains a list of certified "things", those are certified to various levels [1] (nothing of pertinence, just paying a fee to FIDO Alliance and checking checkboxes gets you on the list). However, the party you want to authenticate to MAY require a certain level, and won't let you pass until you provide a device capable of it. OSS things are out almost immediately.
I personally already hit this: NitroKey 3 to access my e-government is useless. No L1 certification, no e-gov. Stuffed again.
Not to mention that the list has to be distributed to all service providers, and kept updated.
https://fidoalliance.org/certi... [fidoalliance.org]
Re: (Score:2)
And yet you have many instances on the net where an account was "stolen" because of 2 factor authentication.
There is no easy answer. 2FA over unsecured channels is not 2FA. 2FA where the private key was generated by a third party is not 2FA.
Re: (Score:3)
So you're basically bitching about universal best practices...
Today's best practices are tomorrow's terrible anachronisms. And yes, today's "best practices" are idiotic.
...because you don't want to have e-mail accessible from anywhere but home due to paranoia?
No, I have my e-mail accessible only from home because I've seen what happens to people when their emails are Internet accessible. It's not paranoia when the threats are well documented. It's security.
Re: (Score:2)
I don't quite grasp the process. What do you use to log into your bank account if not your computer?
Re:NO! (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
So how many other services do you use that password for? Don't pretend you can remember a dozen different unique, strong passwords. You either re-used the password (or some variation of it) or wrote it down. Without 2FA, both of those things are, to use your words, "stupid beyond excuse".
Your bank is right to force you to use 2FA. What sucks about banks is that they never support *good* 2FA, like security keys and time based codes.
Re: (Score:2)
And no, using my phone (an insecure device by design) for 2FA would be stupid beyond excuse.
Why? In your scenerio you are still using a great password. In order for your phone to be the flaw, here, someone would have to already know your password and have your phone.
Re: (Score:2)
You can register more than one pass key to an account. I bought the Google two pack yubi keys years ago. Once stays at my computer and one is on my key chain. Works flawlessly.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I'm fairly sure there's a matching phone app that you can download for free.
Re: (Score:2)
Re: (Score:2)
For the time being, it will probably still work (after all, all that happens now is that it becomes the default, not the only, option). And by the time they sunset this, a solution will have been found.
I'm not really that convinced Google would want to accept that a nontrivial amount of data points ("users") will leave them without information to siphon.
Re: (Score:2)
I believe Thunderbird already supports this...or at least I am hoping it does.
https://support.mozilla.org/bm... [mozilla.org]
Re: (Score:2)
You can use multiple PassKeys. I have one gmail account with advanced account protection turned on, which means it needs YubiKeys for the 2FA. It allows passkeys, so on my desktop and laptop, I can log onto that account without needing to find the YubiKey, as it will prompt for a fingerprint from the laptop.
In general, if the 2FA method is the common, old school Google Authenticator with the TOTP keys, perhaps use a password manager which offers syncing and backup for those, so those can be moved among de
Re: (Score:2)
You can have more than one passkey. I have two already, one for my phone and one for my Yubikey.
By the way, you don't need to turn off 2FA to share a password either. Google lets you add multiple 2FA options to your account, so you can have one each.
Re: NO! (Score:2)
Easy: Have him register a key on your account as well. You never register just one key to any given account.
Re: (Score:2)
Many sites allow me to register multiple yubikeys. I keep one on my key chain, one at home and one at work.
Re: (Score:2)
You can use a Bitwarden family account to share TOTP 2FA codes.
Re: (Score:2)
Re: (Score:2)
Passkeys do not need to be unique to the device. If you use 1password you can store a single passkey and use it across multiple devices. I wouldn't recommend it though.
Re:NO! (Score:4, Interesting)
Remember how you visited slashdot for the second+ time, and didn't have to type your password?
No. My system asks me every time.
Passkeys are like long cookies that have to be stored in a security chip.
Are you on Windows 11 yet? Or a Mac?
If not you can't use passkeys, your computer probably has no security chip, and if it does the OS can't use it.
A brand new computer will, and mobile devices less than 5-6 years old do.
So according to you if your computer dies and it's the only device accessing the account you just got locked out?
I think you need to look at it a bit more. It depends on the implementation.
Personally I believe that if you don't generate and control your private key, a passkey is less secure than a password. Security is your responsibility. It can't be relegated to a third party. A passkey saved on a device may be less secure than a password.
Not long now. (Score:2)
And the malicious attackers come up with a hack against this in 3...2...1...
"you’ll start seeing prompts to create and u (Score:2)
And I'm waiting for the prompts to create passkeys. Still.
Cool (Score:2)
None of them support this.
2FA also sucks (Score:2)
Re:2FA also sucks (Score:4, Interesting)
While I have seen accounts compromised due to a lack of MFA, I've also seen MFA-protected accounts get taken over with no explanation from Microsoft as to how.
But given the number of people I deal with, the rate of unauthorized account access for non-foolish users is extremely low.
It seems to me the push to get everything linked to your phone is more about data mining you than security.
Re: (Score:2)
It seems to me the push to get everything linked to your phone is more about data mining you than security.
No shit. This is why I don't use it. It isn't secure device to begin with and the way I use it leave even more so.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
While a phone itself isn't exactly the most secure device (twice so with all the junk people load onto it), it's better than no MFA.
Of course, if you browse to your online banking webpage with the same phone you use as a second factor...
Re: Cool (Score:2)
Yeah they do. You can create software based keys, it's just a dumb idea.
not supported (Score:2)
Re: not supported (Score:2)
https://learn.microsoft.com/en... [microsoft.com]
Re: (Score:3)
I still don't get it (Score:2)
What's the difference between a (alphanumeric) pin and a password?
Re: (Score:2)
A PIN is use to authorize something to access it.
Or at least my understanding of it.
Re: (Score:2)
The idea is that there are two parts, one that is in your device and one that's on the website. They need to match, and they can't (or ... rather... should not be able to) be copied. So whoever wants to hack your account must somehow get physical access to your device.
So far the theory, at least.
How does this change 5th amendment issues? (Score:4, Interesting)
If memory serves-
Police can warrant you into a thumbprint onto the reader, but not a password into the box...
Seems to me a passkey is a lot closer to thumbprint than password
Re: (Score:2)
Left thumb unlocks the device. Right thumb scrubs all the data.
Insecure by design? (Score:3)
The basic idea of passkeys used to be that they are generated on-device and never leave the secure element. So there was no way that they can get stolen or subpoenaed.
Then Apple, Google and Microsoft decided it is too much hassle for users to create a different passkey on each of their devices and that they might lose access to a service if a device with a key on it gets destroyed or lost.
So they threw this basic feature over board and added cloud synced passkeys. No idea how they did that, because of the "never leave the secure element"-premise, but here we are. Somehow they did it anyway.
Does that mean that my passkeys can now be potentially stolen by a skilled attacker who can attack the cloud service of my hardware vendor? And that all my passkeys to all my services must be handed over after a court order? Am I missing something?
Re: (Score:3)
The basic idea of passkeys used to be that they are generated on-device and never leave the secure element. So there was no way that they can get stolen or subpoenaed.
Then Apple, Google and Microsoft decided it is too much hassle for users to create a different passkey on each of their devices and that they might lose access to a service if a device with a key on it gets destroyed or lost.
So they threw this basic feature over board and added cloud synced passkeys. No idea how they did that, because of the "never leave the secure element"-premise, but here we are. Somehow they did it anyway.
The reason behind this is simple; they make phones/devices/operating systems that are obsolete in a short period of time.
If they had to explain the hassle of what it would take to migrate all of your passkey information to a new device, people would be hesitant to constantly upgrade their devices. So rather than being swamped with support calls or customers pushing back on buying the latest and greatest, they made it simpler to migrate passkeys so people feel like they can use this new uber-secure method fo
I’ve never used this before. (Score:2)
Why don’t we all share our preferred Google authentication methods.
Education (Score:2)
Bet they don't do it for their education users.
Unless you want to teach every 5-11 year old to carry a phone around school with them, or rely on biometrics (for which that age group are impossible to manage as their biometrics aren't fully formed and change too often - a problem I confirmed with just about every single biometric supplier at the London BETT exhibition over many years).
Please no (Score:3)
I'll give you keylogger, though if your system is compromised the damage is likely only just getting started, and shit will simply hit the fan after you login via passkey.
shifting the blame (Score:2)
If your accounts are compromised, then you didn't protect your passkey. Not Google's fault anymore.
I still need a password to unlock my passkey. I could use biometrics but they have serious security weaknesses [howtogeek.com]
Offering, not forcing (Score:5, Informative)
Every time I read about passkeys... (Score:3)
.. the article refers to mobile devices
I use a desktop computer and see very little information on how they would work for me
Re: (Score:3)
Simple: they will tell you to download the mobile app to enable being able to log in.
Yeah, No Thanks! (Score:4, Interesting)
A Passkey is pretty much a client cert... (Score:4, Informative)
I have been seeing a lot of confusion about Passkeys. People confusing them with FIDO tokens or other items.
A passkey is pretty much a client certificate, except it is stored encrypted with something device-bound. It could be Windows Hello, it could be Apple's Secure Enclave, it could be kwallet on Linux, but it is encrypted with something that binds it to a device.
Of course, the device binding makes it all but useless, since oftentimes, if I'm logging into a site for the first time, there is a good chance that I have a clean web browser with no keys or anything in it, and it means that PassKeys would be useless anyway.
What would be nice is some way to move PassKeys from device to device, similar to how backups of HSM key material are done. Perhaps a key exchange (device 1 exchanges via a secure channel the public key with device 2, device 1 sends device 2 a signed, encrypted copy of the PassKey material, device 2 decrypts it and encrypts it, bound to whatever secure secret sauce it has.) What would be nice is a dedicated device like a FIDO key which could act as device 3, where encrypted PassKey material can be stored safely.
Of course, bonus points if someone can make a device similar to a Trezor Model T, which prints out a BIP-39 recovery phrase that you copy offline, and where that generates a key. This way, if all electronic devices are lost, the BIP-39 code and the PassKey material (which could be a QR code) can be re-imported.