Passwordless Google accounts are easier and more secure than passwords. Here’s why.

The passkey ecosystem is far from complete, but Google's implementation is now ready to use.

See full article...

 

[bskin]

Personally I'm waiting until 1passsword supports them. I may purchase a yubikey once it does.

Are there any privacy concerns here?

 

[JerryLove]

A question.

If a device with passkeys is fully compromised; does the bad actor now have access to authenticate to all of my accounts everywhere from that device (since he has the passkeys and is passing whatever security that particular device uses)?

I mean: I realize that my Yubikey has a similar problem (if someone physically has it, they can get to all my stuff), so this isn't necessarily new; but still.

 

[x14]

While Dan Goodin does a great job explaining the privacy and security benefits of Google Passkey system I must freely admit I do not trust Google about anything whatsoever. Especially, the Google Cloud.
I have to ask myself how has or will Google monetize their passkey system?
I can only assume we will pay with our private personal data put on sale, I mean securely shared with trusted third parties for a fee or as required by law, or corporate policy to improve the world or just because they feel like it.
I would be willing to pay a reasonable ONE TIME fee for a passkey authentication system that is truly, demonstrably beyound all reasonable doubt, private and secure.

 

[EvolvedMonkey]

So does this protect against malware grabbing browser cookie info on devices once logged in? If I logged in this way today on chrome on a windows PC, does it auto log-in tomorrow without the passkey being re-input, which would create this security risk? Or does it require logging in every time, more secure but probably not favored for usability by less security aware users?

 

[Kanten]

Why is there all this news pushing and pushing people to adopt something that is not fully ready? Passkeys replacing passwords or not, I find it very strange all these articles coming out constantly reminding us to switch to passkeys. There was literally one on Ars just last week.

The cynic in me wants to lean towards marketing at least from Google's end. I feel like I see less explanations of the mechanics of Passkeys and more Google shoehorning the phrase "death of the password" into as many news releases as possible.

 

[Andy Somnifac]

And another feature that doesn't support accounts that were created years ago as G-Apps or G-Suite or or whatever it's been called over the years...

I just wish that the account could be ported over to a standard account, port over app and media purchases, and allow me to continue to use it on any third-party site logins. I don't care about any of the back-end stuff.

I'd even pay for the port.

 

[randomuser42]

I recently had an experience while traveling where a phone fell and broke and was not usable and my friend had 2 factor authentication turner on with the Duo app as well as a password manager when they tried to get their new phone operational.

Were it not for breaking best practices and getting someone back home to log into their laptop my friend would have faced an expensive trip home to sort everything out.

This isn't to say that security isn't important, it's just I've been shown in a very real way that multi device authentication can be a very dangerous thing. If my friend had been limited to passkeys in this situation they would have been stuck because the old phone didn't work. And they wouldn't have had any way of turning off the passkey option except by getting someone else to do it for them .

That's why I bring a hardcopy of recovery codes with me when I travel.

 

[mmiller7]

I imagine all the desktop Windows computers used in businesses and government would need a whole lot of Bluetooth dongles to implement this.

That could be fun...I've been to some government facilities they won't let you bring in anything with wireless functionality or cameras (so no phones, no bluetooth/wifi devices, etc). If you need to log into something, you have to use a post-it note to record the 2FA code from your phone outside and bring the post-it note inside to type in is the "approved" flow (which is a PITA, that ought to be some kind of olympic sport badging thru gates and doors running on stairs to make it back to a computer before the code expires).

I assume government would want something without wireless...though many also seem to ban things that look like thumbdrives (and one I've been to for someone's retirement ceremony actually required I empty my pockets TSA style to be examined entering to check for contraband).

 

[Wbd]

No and absolutely fucking not.

Every single system that seems to be able to store passkeys seems to require you to trust the big three (Apple, Google, Microsoft) not to delete your account without warning. In my case, if Apple deletes my iCloud account and the keychain, I lose access to everything that's secured with a passkey. Compare that to what happens right now, if I destroy my main Yubikey: I go to my bank, show them two forms of ID, use my physical key to retrieve the backup Yubikey from the safe box, and move on with life.

Until and unless there are serious and lasting consequences for companies that provide infrastructure services that act unilaterally, there is no way I will use this. KeyPass/BitWarden can generate arbitrarily strong passwords, you can buy as many Webauthn keys as you want from a variety of vendors. With passkeys, you're one (automated, non-negotiable) deletion away from being locked out permanently from your entire online life.

If you want to give that power to a company, be my guest. I'll wait until it's treated like water or power companies cutting off service for no apparent reason: large and hurting fines.

The context of the article is logging into a Google credential with a passkey. The ‘big 3’ and also several others offer key escrow and recovery, but sites use passkeys directly- if you use a passkey with Best Buy, they will not be checking with Google for example (Unless you use ‘social logons’ of course). In that context, google wiping your account just means if your phone dies things could get dicey. They are basically a yubikey with a recovery option - so slightly less secure because the private key exists in escrow which solves 50% of the problem with yubikeys (the price tag and app support being the remaining pain).

 

[balthazarr]

At least on the Apple side, passkeys are synced via iCloud Keychain. So if you have multiple devices, then passkeys will work on all of them. I can sign in seamlessly using my phone, my desktop Mac, my iPad, etc.

I think a lot of the problems and concerns around recovery and multi-device support go away once you start getting third party Passkey solutions from companies like 1Password and Bitwarden. Millions of people already trust them with all their passwords; trusting them with passkeys isn't really any different, but it is more secure.

That said, I do wonder about the "average user" problem. Passkeys are targeting people like my mom, who use the same few passwords everywhere. But there's no guarantee she'll stick with Android for her next phone, and she doesn't live inside the Google ecosystem everywhere - instead she has a hodgepodge of accounts. She's been doing things this way forever, and I'm not sure she'd be willing or even able to change now.

I have to wonder how much more secure it is in practice. It seems to me that it's a pretty complex system with lots of moving parts. The more complex something is, the more likely there are security issues.

I get the theoretical improvement, but the devil is in the (implementation) details. I think I'd rather wait and see than jump in with both feet.

 

[pseudobscura]

So what's the fallback if your phone is lost/stolen/destroyed/etc?

Guessing that'd be those terrible, horrible insecure passwords? Hmmm ....

This seems such a terrible idea. If you know what you're doing, it seems neither easier nor faster nor more secure. I would rather not trust all my security to having a second device with me. And I worry about the power border agents have to compel device biometrics, and through that, access to everything you have a login for.

"You've turned them on, right?" Dear gods, the idea of becoming an early adopter for such a revolutionary and disquieting concept where the bugs are yet to be ironed out, is ... nuts. Even if I was excited about this, I would be waiting half a year before turning them on. The risks of unpredicted edge cases are far too great here.

 

[mmiller7]

That's why I bring a hardcopy of recovery codes with me when I travel.

How do you ensure your recovery codes haven't been copied/compromised during the trip? I wouldn't want such a high-value document anywhere on my person or luggage when traveling, I'd want it locked up in a safe at home.

 

[carbon60Unit]

I'd rather have the second device be a small RFID/BT-ish dongle/card one can have on a physical key chain or in one's wallet/purse. Inexpensive enough that one can have a backup copy at home or elsewhere. Not a phone. While I usually have the phone with me, I don't want to be locked out if it is for any of the reasons cited previously not available.

 

[Thunderbird]

As far as I can tell, the point of this is replacing the Thing You Know (i.e. the password) with a Thing You Have (your phone) in conjunction with the Thing You Are (biometric verification on your phone).

That is itself an improvement, but the downside is that there are way more moving parts, increasing the number of failure modes and making it harder to reason about them. The simplest question is: what happens if you lose your phone? Another one is: there are multiple Passkey implementations, right? How do they interoperate?

Speaking of moving parts, I'm somewhat concerned about the Bluetooth requirement. I don't think I've ever used a desktop computer with Bluetooth, for example. And how does the web page you're logging in to make an outgoing Bluetooth connection to your phone? Doesn't this require cooperation between the browser and the OS? What standards does this use? What happens if you're on a system which doesn't have this, for some reason? Is there a fallback?

Edit: Also, for a primer this document is kinda missing a simple explanation of what passkeys actually are and how they operate!

Exactly my comment was going to be about the last 2 lines. I still have no good clue on what passkeys are besides some glimpses based on the screenshots and how to set them up.

 

[DJ Farkus]

Among numerous issues that make me skeptical, the bluetooth requirement is a hard "No".
Disabled on my phone since day 1, and never on my laptop.
Complete dogshit communication protocol, and should never EVER be part of any authentication scheme.

 

[Verio]

I'm not sure I understand how a workflow that requires
grabbing your phone,
tapping into an app,
taking a picture of your screen, and
tapping what to do with that info...

...is an "easier" operation than entering a password from memory, or auto-completing with a password manager, or copy pasting with a password manager.

There might be other benefits, but by no means is that easier.

 

[alexr]

I think the ARS audience is way ahead of the curve in terms of using a password manager and having their credentials safely in order. Lots of normal people have no real system of keeping their passwords and have a total mess where they end up having to recover the password practically every time they login. Getting those people on to a secure and reliable system would be a big improvement for them. We'll see if passkeys are helpful for that. At this point it sounds way too confusing and incomplete to be something I'd suggest someone like that try.

This is exactly it. Passkeys represent only a slight security improvement (and have some real usability issues at the moment) for someone who is rigorous about using a password manager, letting it generate strong passwords, and, crucially, always using auto-fill (since if you ever copy-paste a password, you can be phished just as easily as someone without a password manager). This represents a laughably tiny fraction of the people who need to authenticate with online services (which is, uh, much of the global population now). Password managers have failed outside of specific niches of IT professionals and the people they have policy making power over, but Passkeys hopefully stand a chance of succeeding.

 

[Abhi Beckert]

The long and short of it is that with a few minutes of training, passkeys are easier to use than passwords

It's just not.

Passkeys are more secure than passwords, and so yes I am using them as much as I can (my primary computer, a desktop, doesn't have any biometrics so I can't use them there), but stop telling me it's easier when it isn't. Passkeys are a thousand times more complex than a password with a good password manager - and all browsers come with good password managers.

Case in point, I just tried to log into my google account with my passkey, and it wasn't working. Probably a setting or something or other in my browser... but whatever it is it took five minutes of troubleshooting before I gave up and made a second passkey for a browser that already has one. Never mind "a few minutes of training" I'm a security tech enthusiast who's been watching passkeys and predecessors to it closely for several years.

I'm not even telling anyone in my family that passkeys exist, let alone encouraging adoption.

 

[dangoodin]

A few things based on comments so far:

Passkeys are an option for logging in. They aren't an either/or thing. You can enable passkeys and still log in with a password anytime you want. If a passkey somehow gets deleted or corrupted, you can still log in with your password. Or you can log in from one of your other devices. You can enable passkeys and then never use them. I see no scenario in which having a passkey synced to your device makes it easier for Google to suspend your account. It's trivial for Google to arbitrarily suspend your account under the current password paradigm. When an account uses passkeys it's no harder or easier for Google. Additionally, keep in mind that Google is only one of many cloud services that will sync your passkeys. If you don't trust Google, you can have 1Password or your preferred password manager sync them, or have Microsoft or Apple sync them. There are many more options for using passkeys than critics commenting here realize.

Passkeys are absolutely resistant to SIM swaps. Passkeys don't rely at all of the phone number. They rely on a private key that can be stored on each device. Someone can take control of your number, but that in no way allows them to take control of the private key. If you lose your phone, you should be sure to access your account from another device and delete the passkey stored on your phone, but this security best practice is true even under the current system.

And no, you don't have to have your phone with you each time you log in. You need your phone, or another device with you only when logging in to an account for the first time on another device. If no other device is available, you can also log in with your password the way you always used to. Passkeys are indeed easier to use than passwords when logging in from the devices you usually use to access your account

Many of the criticisms so far are based on fundamental misunderstandings about passkeys. Going forward in comments, please don't criticize if you haven't tried it first.

 

[mmiller7]

My phone is always in my pocket on the desk next to me, and I've been able to use fingerprint unlock even with peeling calluses from playing the guitar, or my fingertip coated in dried superglue (don't ask). I can see how passkeys aren't an improvement for everyone, but neither of these issues would put me off of it.

My phone is...usually somewhere in the house, though I regularly have to call it from a landline or use the "find my phone" to play a noise to find it probably once a week or so. And sometimes I am in a hurry and forget it on my way out to work.

And I work in a place that doesn't allow personal electronics so I have to use the company-issued devices when I'm at work and the personal phone stays in the car or a locker all day. Which is partly why I don't miss it THAT much if I forget it at home. Slightly more annoying if you forget it in the locker at the office and don't realize until you get back home without it.

Though that still doesn't solve how often fingerprint unlock fails across multiple devices of multiple brands, and I mostly ignore it now because the pin is faster and more reliable to type.

 

[NomadUK]

There are some major parts missing in the passkeys ensemble. For now, Chrome on macOS needs its own local passkey. Firefox support isn’t yet available on macOS, and I couldn’t get that browser to work on Windows 10, either. Things are even more limited for Android. Currently, passkeys synced by Google don’t work with browsers [...].

ChromeOS has no support for passkeys at all. [...] Most glaring of all, Linux doesn’t work at all with passkeys.

This lack of seamless integration among OSes and browsers is the result of various players being further ahead or lagging behind their peers. Passkeys are a work in progress with many moving parts. [...]

So, yeah, guess I'll switch this baby right on. Can't wait.

Also, having read the endless, mind-numbing, eyeball-glazing scroll of detail and images in this and other articles, I'm just imagining the Hell on Earth that will be the effort to explain how to use this to the masses who have barely figured out how to use something as simple as username/password credentials and password managers. I, for one, would not want to try to train the users in my organisation to use this stuff, and don't even think about my mother.

EDIT: Fine. You train them.

 

[randomuser42]

How do you ensure your recovery codes haven't been copied/compromised during the trip? I wouldn't want such a high-value document anywhere on my person or luggage when traveling, I'd want it locked up in a safe at home.

Do you not bring your credit cards, cash, ID, even perhaps a passport with you when you travel?

Change them when you get home. If someone wants to break into my room or rob me of those codes and also obtain my (strong) passwords all in a week or two window then they're welcome to them because at that point I'm being targeted by a nation state and their next option is to beat me with a wrench until I enter my password. Maybe I won't bring them if I'm traveling to Iran with state secrets in my email account I guess.

Edit: if you're concerned at all about the scenario described by the person I'm quoting then the only fully reliable alternative is to disable 2FA when traveling which is obviously worse.

 

[alexr]

I'm not sure I understand how a workflow that requires
grabbing your phone,
tapping into an app,
taking a picture of your screen, and
tapping what to do with that info...

...is an "easier" operation than entering a password from memory, or auto-completing with a password manager, or copy pasting with a password manager.

There might be other benefits, but by no means is that easier.

If you’re copy-pasting passwords (or typing them from memory, which has other problems at scale), you’re vulnerable to phishing. So passkeys would be a big security improvement for you.

 

[Bongle]

With a basic primer on using passkeys out of the way,

It was 1400 words to that point, and included a bunch of caveats like "this browser/OS combo works, but not on this OS, needs your phone to be on you, etc". It sounds like a nightmare.

I use web-bluetooth for some prototype stuff or internal tools, and this passkey implementation sounds about as half-baked and requiring as many caveats. "It's awesome and wonderful! Oh it only works on MacOS and Android in Chrome, but not on iOS Chrome, and only sometimes on Windows, and on MacOS the write() behaviour is slightly different so this particular feature only works on Android".

 

[BrandonSoMD]

Yeah, I can just imagine trying to help my tech-challenged parents set up a highly complex passkey system on their phone and non-Bluetooth desktop PC, then recover when someone loses a phone.

At the moment, when Mom gets stuck (which happens often), I have all her login credentials in my own password manager, and can get her to read me any 2FA SMS code.

Hard pass.

 

[GreggN]

Passkeys are not supported widely enough to be useful at this time. My primary machine runs linux and has no webcam or bluetooth, so passkeys aren't even an option for me.

There is one detail that I've missed in the informational articles about passkeys. Let's take the average person who has a phone and a Windows or Mac. Let's assume they set everything up with passkeys stored safely on their phone and computer. Let's also assume that they are a normal human who gets annoyed by constantly unlocking their systems (and by the frequent failure of biometrics), so they turn off, or minimize the need to reauthenticate to the device. What happens when a malicious person gains control of their phone or computer?

 

[karinto]

You can do passkeys with FIDO2 hardware security keys like YubiKey. No reason to hate passkeys.

For my Google account, I've re-registered my YubiKeys I was using as 2FA to be passkeys. With 2FA, the authentication was Google password + FIDO U2F hardware key. With passkeys, it's FIDO2 hardware key + key's FIDO2 PIN.

 

[zarakon]

"You've turned them on, right"?

Well, the previous article here had a tagline that said, "Switching is probably a terrible idea right now," so no I haven't

 

[ERIFNOMI]

I have to wonder how much more secure it is in practice. It seems to me that it's a pretty complex system with lots of moving parts. The more complex something is, the more likely there are security issues.

I get the theoretical improvement, but the devil is in the (implementation) details. I think I'd rather wait and see than jump in with both feet.

If you use half decent passwords you're fine. The problem is most people don't use half decent passwords. They use a single or a small handful of passwords everywhere and they're something simple like the names of their kids and their birthday. This is a better solution for those kinds of people.

 

[mhersh]

The cross-device authentication process involving QR codes is a one-time requirement. Once completed, the user saves a passkey to the browser or platform being onboarded. This doesn’t seem like any more of a hassle than setting up password syncing on a newly installed browser.

It sounds like this is not so much a "one-time requirement" as it is one time per account, per device. That's a big difference to me. I have well over a hundred accounts in my password manager. If I eventually switch those to passkeys, I will need a way to move them en masse between devices and platforms.

Syncing passwords with iCloud, Chrome, or Firefox only requires signing in once to a new device to get access to all your passwords, and at least in the cases of Chrome and Firefox, it works on nearly every platform.

I will echo what others have said: until there is a cross-platform, open-source solution, I'm not investing any time into this. In practice that means Keepass or Bitwarden. (Please correct me if there are other open-source password managers I should know about.)

 

[adamsc]

Passwords are better than passkeys.
They can be changed, are not based on some item that can be lost or stolen, and are not based on some type of biometry.

I would strongly recommend learning how passkeys work. Each of your assertions is incorrect.

 

[tjukken]

Making stuff harder to do is not a winning formula. Regular users will at best think this is inconvenient and a hassle vs using a password. Everybody understands passwords.

I won't be using this, because it's a hassle. I use a password manager.

 

[SeanJW]

Eh...

From what I understand this is a new industry standard and not just a Google thing. I'll wait for Apple and Microsoft to fully implement it before I bother, seeing how I don't really use Google products other than YouTube.

Congratulations, you've gone back in time!

Apple already fully supports Passkeys client side, and supports them as 2FA server-side. They just don't do passwordless (as you need to be able to log in to iCloud somehow to recover your backed up iCloud Keychain...)

Google is this complicated bloody mess where they

(1) support Platform Specific keys on Windows (using Windows Hello), and macOS (though not the way Safari used to do it before Passkeys). They also support Platform Specific keys on ChromeOS too. They're all branded Passkeys now, but they're not actually Passkeys. They're just the old platform specific keys with a new sticker on top.

(2) Supports the QR code dance on all desktop browsers, including Linux (noted from its absence above....), which works with Passkeys on any platform that supports them.

(3) Will have real Passkeys Real-Soon-Now where they do share them around platforms on Windows, macOS and Android. They'll share by OS though, not by browser. So all your Chrome instances on Windows devices will share, but the poor mac will be all by its lonesome. There's no documented plan for ChromeOS and sharing that I'm aware of. Linux will not get it at all.

(4) Has server-side passwordless login where it works. And where it doesn't, you fall back to the old system. And they can be 2FAs instead.

Firefox will.... drag their feet and half-heartedly implement something on some platforms, like everything else they've done with FIDO2. (You think I'm kidding? They support platform specific keys on Windows Hello. That's it. They support USB security keys. Only some of them on Linux. Not all of them, no matter how FIDO2 certified they are)

Edge, I have no idea. I've never really tried it. But I spent far too damned long writing FIDO2/Webauthn code and Passkey stuff. You can even make Passkeys transparent if you want - no "click to try" thing, it just detects that your browser has a local passkey that it can access, and up it pops asking if you want to use it. I haven't quite got that far yet, but I'm thinking about it.

Edit: Oh why Linux is the poor cousin? Blame it's handling of TPMs. There's 4 different ways you can access TPMs. TPMv1.2, you have a device driver you're supposed to access via a userland broker. Yeah, no. That defeating the whole purpose of having a TPM, by having an interceptable userland process. TPM2 they fixed that! There's a driver... that only can be accessed serially. There's a kernel broker! There's a userland broker! Wait, what? Yes, they did it again...

It gets even better when there's already faux TPM drivers too under Linux, so you're really not able to trust the damned TPM is really a TPM, and so there's no way you can get a Linux distribution FIDO certified unless you do what Google did with ChromeOS which is lock it down madly.

Edit 2: and remember, most sites already support Passkeys as a 2FA, as they're just another FIDO2 authenticator. You just need a browser that supports them, either the complicated half-arsed mess that is Chrome, or Safari. I'll try Edge later and see what it does.

Edit 3: We're really back in time - Edge is like Chrome. Desktop Edge does the QR code dance fine. Probably just inherited all from Chromium.

 

[randomuser42]

Dan Goodin: Google passkeys are a no-brainer. You’ve turned them on, right?
Ron Amadeo: Switching [to passkeys] is probably a terrible idea right now

You do have a Ars Technica Slack, right? I'm wondering if there was a discussion there about the current maturity of Google's passkey implementation...

Editorial independence between the writers is a good thing! But a little editorial cohesion would be nice. Especially in this case where advice is being offered that contradicts other advice!

 

[Deleted member 826873]

Many of the criticisms so far are based on fundamental misunderstandings about passkeys. Going forward in comments, please don't criticize if you haven't tried it first.

If you write an article to tell us that passkeys are great, and a bunch of people comment that they sound terrible, then something's wrong with the way you tried to convince us.

 

[mmiller7]

Do you not bring your credit cards, cash, ID, even perhaps a passport with you when you travel?

Change them when you get home. If someone wants to break into my room or rob me of those codes and also obtain my (strong) passwords all in a week or two window then they're welcome to them because at that point I'm being targeted by a nation state and their next option is to beat me with a wrench until I enter my password. Maybe I won't bring them if I'm traveling to Iran with state secrets in my email account I guess.

I don't have a passport but the rest stays in my wallet and can easily be replaced if compromised.

Its gotten better (tho I've not traveled much the past several years) but for a while from like 2014-2017 seemed like my credit cards were being compromised every other time I went on a trip and still not totally sure how. Though fortunately it was trivial each time to make a phone call and have them re-issued and fraud charges voided.

At least someone pressuring you to reveal logins is more evident that your stuff was breached than potentially copied sheet with all your services/usernames/passwords you may not know for quite some time.

Also know plenty of people who've lost wallets or other things while traveling. Pockets can be picked or stuff can fall out (especially a back pocket) and now its gone.

Even if I suspected it, not totally sure how I'd go about having a service void out all my recovery codes and issue new ones. The few I have that use them made it clear to keep them locked away for emergency and take note of them during setup or I may not be able to get them again later. I'm not sure if they can be changed or not.

 

[DancesWithBikers]

So how should I reconcile Dan's article with Ron's far more skeptical take?

https://meincmagazine.com/gadgets/202...-are-here-you-can-now-switch-to-passkey-only/
"Switching is probably a terrible idea right now, but you've got to start somewhere."

 

[adamsc]

If you use half decent passwords you're fine. The problem is most people don't use half decent passwords. They use a single or a small handful of passwords everywhere and they're something simple like the names of their kids and their birthday. This is a better solution for those kinds of people.

If you use strong passwords, never use the same password (or an obvious variation like your dog’s name + the company name) on multiple sites, and never get phished, you’re fine if slower and less convenient. Unfortunately, that doesn’t work in practice - the reason why Apple, Google, and Microsoft implemented this is that they have literally millions of users who were compromised after failing at least one of those requirements.

 

[LuDux]

Wow, what an interesting and innovative step forward for security, I'll look into this and start

- 'Google'

Naw, I'll see if they stick with it beyond 3 months first. Not going to go to the effort of setting this up on all my devices and accounts only for them to cancel the whole thing when they get bored and it doesn't immediately make them a trillion dollars in revenue every single day and have to change everything back.

 

[autostop]

Guessing that'd be those terrible, horrible insecure passwords? Hmmm ....

This seems such a terrible idea. If you know what you're doing, it seems neither easier nor faster nor more secure.

Exactly. This only benefits the 99.9% of the population that doesn't follow good password practices. For the rest of us, it is just a hassle.