Google has added support for passkeys to Android and Chrome so that users can log in to their accounts and apps without a username and password. A second factor such as SMS code, one-time password or push confirmation is then no longer necessary. Only a biometric check, PIN or unlock pattern of the device that is used to log in is sufficient, the tech company has announced.
Passkeys are a joint initiative of Apple, Google and Microsoft and are intended to make passwords superfluous. They are based on the Web Authentication (WebAuthn) standard and use public key cryptography. Users must first generate a passkey for an account or website. The associated private key remains on the user's device, while the associated public key is stored by the website or app.
The user's device generates a signature based on the private key that is sent when logging in. During login, the website or app being logged in uses the public key to verify the private key signature. To log in with a passkey, a finger or the user's face must first be scanned, or an unlock pattern or PIN must be entered. Passkeys use the mechanism that unlocks the user's device or system in question.
However, they are not tied to the respective device and the same private key can exist on multiple devices. If a user does not want to synchronize their passkeys across multiple devices, it is still possible to log in with passkeys on a device where they are not stored. For example, it is possible to log in to a website on a laptop with a passkey generated on a smartphone.
As long as the phone is near the laptop and the user approves the login attempt on his phone, the website can be logged in from the laptop. However, the website in question can offer to generate a passkey on the laptop as well, so that the phone is not needed to log in next time.
"Because passkeys are tied to a website or app, they are safe from phishing attacks. The browser and operating system ensure that the passkey can only be used with the website or app that generated it. This makes the user no longer responsible for the log in to the real website or app," according to Google.
The tech company states that passkeys do not allow tracking users or devices between websites, as a passkey is generated for each website. Also, the biometric information is not shared with the app or website that is logged in. Furthermore, the passkeys are stored encrypted on the device. Passkeys are now available in the beta version of Google Play Services and an early test version of Chrome. Passkeys will be available in stable versions of Android and browser later this year.
