Passwordless Google accounts are easier and more secure than passwords. Here’s why.

The passkey ecosystem is far from complete, but Google's implementation is now ready to use.

See full article...

 

[dangoodin]

If they're synced using iCloud Keychain - then isn't there, by definition, a way to extract the keys from the device they're created on? Wasn't there an article just recently about new macOS malware that could steal iCloud Keychain items?

It sounds like you don't understand how asymmetric encryption works. ICloud Keychain syncs the public key. It never sees or touches the private key.

 

[4XjrPz6t]

I don't understand your reasoning. Under today's password paradigm, Google can suspend your account anytime it wants. How does using passkeys make it easier for Google?

Also Google passkeys ARE ALREADY cross platform. My Google passkeys are currently being synced not just by Google, but also through the iCloud Keychain and Windows Hello. As you note, Bitwarden, 1Password and a bunch of other third parties will soon also provide syncing.

What's your basis for implying Google passkeys aren't already cross platform?

What I mean by cross-platform is:
When I can set up a passkey once in Bitwarden (or similar pass manager) and then it is immediately available for use on my phone, my PC, my Mac, in Linux, in Chrome, in Firefox, etc.

I recognize that I can create a google passkey on each of those devices or browsers manually (while those in the same OS ecosystem will sync) and that is technically "cross-platform" use of passkeys, but its a lot more work than a central store that immediately works on all devices, regardless of the OS or browser. I'd rather have them stored in an OS independent way, so that I am incontrol of the keys instead of the OS.

 

[randomuser42]

Why would they need to compromise the codes and your password? If you can access the account using a password, they can just compromise the password, right?

The problem of dropping my phone down a well is not a problem if I only use a password. Then I just buy a new device and log in using the password.

Your argument seemed to be that bringing a hard copy of 2FA codes (to be used only in the event you need them, like dropping your phone down a well) is too significant a security risk. I responded explaining why I didn't think so. I have no idea what you're trying to say here.

Let me take it from the top. First: A 2FA recovery code is useless without the password to the corresponding account. 2FA recovery codes can be revoked and/or reset.

I think the probability of someone stealing a 2FA code, recognizing what it is, and then compromising my strong, unique, password in the ensuing week or two I'm on vacation (because I can change them when I get home) is too small to worry about. That's only if they're compromised without me knowing (because I could change them immediately) meaning someone needs to break into my room and get the codes while not stealing anything else. Nevermind the fact that I can keep the codes in my wallet along with other private stuff like my ID.

The other scenario I can imagine is of someone already having a stolen password and following me on vacation with the intention of breaking into my room or mugging me to get a 2FA authentication code (which I may or may not have brought). Needless to say, I consider this too small to worry about.

You're welcome to view those threats differently (and please point out any I've missed) but hopefully we're on the same page now

 

[dangoodin]

No and absolutely fucking not.

Every single system that seems to be able to store passkeys seems to require you to trust the big three (Apple, Google, Microsoft) not to delete your account without warning. In my case, if Apple deletes my iCloud account and the keychain, I lose access to everything that's secured with a passkey. Compare that to what happens right now, if I destroy my main Yubikey: I go to my bank, show them two forms of ID, use my physical key to retrieve the backup Yubikey from the safe box, and move on with life.

Until and unless there are serious and lasting consequences for companies that provide infrastructure services that act unilaterally, there is no way I will use this. KeyPass/BitWarden can generate arbitrarily strong passwords, you can buy as many Webauthn keys as you want from a variety of vendors. With passkeys, you're one (automated, non-negotiable) deletion away from being locked out permanently from your entire online life.

If you want to give that power to a company, be my guest. I'll wait until it's treated like water or power companies cutting off service for no apparent reason: large and hurting fines.

You don't have to trust the big three to use passkeys. By all means, keep using passwords, but please inform yourself before commenting.

 

[bikeoid]

Initial test with Passkeys is a poor experience on what I consider a common platform: Windows 10 + Chrome.

"Your device doesn’t support creating passkeys, but you can create a passkey on another device"

I suppose they mean that my device doesn't support facial recognition, fingerprints, or Bluetooth.

 

[adamsc]

Complexity concerns aside tying this to biometrics would enable warrantless access to accounts wouldn't it? It's already precedent that police can compel you to unlock your phone with biometrics but not force passcodes or patterns.

It’s not tied to biometrics. Also, note that this is only true in certain jurisdictions and decent biometric systems have quick ways to require a password prompt - for example, on iOS you can click the side button quickly or hold the side button and either volume button to prevent a Touch or Face ID login.

It’s also a process only a few people have and where there are inherent trade offs. For example, if you disable biometrics on your phone you are probably going to increase the auto-lock time to avoid entering your password so often, making you more vulnerable to a snatch and grab, and if you’re entering that password frequently it’s easier for someone to covertly record.

Circumstances also matter: if you’re an affluent middle class white guy (like many Arsians), it’s unlikely that any of this matters because the police are unlikely to care about you and assume you’ll lawyer up. If you’re poor or brown, it probably doesn’t matter because you’re likely to unlock it rather than be held indefinitely, being beaten or given a “rough ride”, or, if you’re in Chicago/NYC, reconsidering how much you value privacy when you feel the electrodes being attached to your genitalia. There are only a very few cases where this is a problem with a technical rather than political answer.

 

[dangoodin]

So what's the fallback if your phone is lost/stolen/destroyed/etc?

The fallback is to log in with your password the way you have done up to now. Remember, passkeys aren't either/or. You can create a passkey and still log in with a password.

 

[BasP]

Exactly.

Nobody can respond with any kind of workflow diagram or white paper show-casing that all the criticism is invalid. People are just responding saying it's invalid without anything to actually back it up.

Most people aren't going to uproot their entire digital process on a whim without actually understanding it.

This is what frustrates me the most about the dialogue around passkeys. People have questions or make (wrong) assumptions. That may be frustrating but it's essentially based on a lack of understanding of how passkeys work. That's not their fault: that's down to passkeys being complex and (apparently) nobody having written an easy to understand explainer. But instead of educating people on the concept, the general response is "Stop spreading FUD about passkeys", "people are idiots for not getting it", or only addressing part of the question/assumption and either deliberately or accidentally not addressing some vital part of their question.

Why are so many passkey proponents so unwilling to have other people use and understand passkeys? Security is complex; there's no disagreement there. But you're helping nobody by dismissing people who misunderstand it as idiots.

Exceptions not withstanding, of course.

 

[Jarrex]

I only see two articles from Ars in the past week (one was the same story renamed, but shows up twice in the search results).

View attachment 55642

The first is a news story about how Google now supports passkeys by Ron, and the second is a deep dive by Dan. This type of coverage is pretty common from Ars - a shorter news story covering a new product, feature or press release, and then a more in-depth story a few days later that goes into details, sometimes by a different editor who may have a different focus.

I can't speak to every other tech site you read, but I doubt there's any kind of "agenda" here. Companies put out press releases and updates all the time, and so you will see coverage hit from multiple sites at around the same time. Sites also want to maximize the amount of mileage they get out of any one topic, so they will often post multiple stories for the same news beat. I don't think this is evidence of a vast conspiracy to dupe everyone into giving up control over their digital security, or Ars being on the take from big tech, or whatever.

This model of tech news coverage happens for literally everything, so if this worries you, then fair enough. But it's not like coverage of passkeys is too different from any other product or service related tech news. I also appreciate Ars doing deeper dives and offering additional commentary - many other news sites just lightly reword press releases and move on.

Ron wrote two articles about passkeys, two days apart:
https://meincmagazine.com/gadgets/202...-bluetooth-proximity-to-replace-the-password/https://meincmagazine.com/gadgets/202...-are-here-you-can-now-switch-to-passkey-only/And then we have the article we are currently on.

None of these articles can be considered a deep dive. The problem I have with passkey coverage is that there's literally nothing new in each article. They all repeat the exact same crap details with no coverage over how any of it actually works. I would love a deep dive article on passkeys, when is bluetooth actually uses, how are lost devices going to be handled etc.

Contrast that to anything that gets multiple articles, such as individual companies (e.g. Tesla) or individual products, those articles do not repeat the same exact details. Dan's article is more about the process on Google's passkey, but both of Ron's articles are pretty much the same.

I don't usually have any issue with how Ars handles stuff (except their Wired reposts which are almost always crap).

 

[BasP]

The fallback is to log in with your password the way you have done up to now. Remember, passkeys aren't either/or. You can create a passkey and still log in with a password.

Does that not undermine the security advantages of passkeys? If you have to leave passwords enabled as a fallback, then won't that just be the attack vector?

 

[dangoodin]

Having had a google account arbitrarily suspended, then having to deal with google's support to try and figure out why ... there is no way I am putting all of my authentication eggs into google's basket.

How do passkeys make it easier for Google to suspend your account? Isn't it already trivial for Google to suspend your account under the current password system?

 

[Beyond Opinion]

Well now I do have to ask: Are you a luthier, perchance, or just repairing instruments here and there? Either way, the glue-covered hands reminded me of the last time I did any fret work on one of my guitars. Coincidentally(-ish) it also reminded me of why I let a local shop do my fret repairs, these days

Definitely not a luthier! I have repaired a couple of guitars in my day, but never done any fret work; you're braver than I am!

 

[randomcat]

The fallback is to log in with your password the way you have done up to now. Remember, passkeys aren't either/or. You can create a passkey and still log in with a password.

Honest question: if a normal password is preserved as an option that overrides everything else, how does this new system do anything to mitigate existing security problems with passwords? A bad actor can just skip the whole passkey song and dance and attack the password system like usual.

 

[BasP]

This is the front page Dan. Long on hot-takes, short on educated, informed analysis.

And long on unbridled sycophancy, apparently.

 

[dangoodin]

I don't want to make any single company the gatekeeper for all my online logins. If I lose access to that account I lose access to all my accounts.

And I don't want to make it dependent on any single physical device. Lose the device, lose all access.

Generated strong passwords kept in a password manager neatly avoids both issues.

How exactly do passkeys make any single company the gatekeeper of all your online logins. Currently, you can store a passkey for a given account in the Microsoft, Apple, and Google clouds, and soon you will also be able to use 1Password and many other third parties. There is zero reason to use only one gatekeeper if you don't want to.

 

[adamsc]

Ars alone has published 5 Passkeys are killing passwords articles in 7 months. Three of which are in the last week. That's not just covering new tech stuff, that's pushing a narrative. Look at the non-tech sites saying "Google and Apple are killing passwords!" It's been going on for the last 1-2 months pretty constantly on the same websites.

These are timed to coverage of platforms shipping support to hundreds of millions of users, which is no more an agenda than announcing any other new OS feature. It’s also warranted because passkeys streamline a daily source of frustration for most people and completely prevent one of the attack techniques used for billions of dollars in damages annually. They’ve done a ton of articles about MFA over the years for the same reason and this just makes phishing-proof logins that much easier to use.

 

[WhiskersWithClaws]

Three years ago, I changed my phone number. I never thought doing something so benign would lead me to leaving both Google and Microsoft, but this event certainly did.

Android requires a Google account to operate. Microsoft was my backup contact account. You can probably see where this is going.

As I logged into my Google account to update my phone number because this multi-billion dollar company which has full access to my Android device didn't do it automatically, I was stuck in 2FA hell. So, to get in, it sent an email to my backup account, and yep, you guessed it, wanted a 2FA access code as well.

Frustrated, I reached out to Google's customer support and it's as bad as everyone says it is. By the time it was said and done, Google wanted me to send in 3 different pieces of paper (with one required to have a photo ID) before it would unlock my account.

I forgot to mention the best part of this incredible ordeal: it would take up to 21 days before the account was unlocked.

Now I read a story in which the very same company which locked me out of my Google account, forcing me to reset my phone to create an entirely new Google account, wants me to trust it with passkeys?

LMFAO. I must be dreaming.

It was bad enough changing a phone number put me through a hell no one should have to deal with. This passkey idea is fundamentally worse on every level. This isn't just being locked out of an online account. The loss of passkeys on the device should Google just be in a pissed off mood means the lock out of one's entire online access.

Not only "No, thank you." but "FUCK OFF, GOOGLE! Take your passkeys and shove them up your ass."

If these companies want people to sign up with passkeys, do not let Google, Microsoft, or Apple control any part of them.

Until then, I'll still with "pas5W0rD1234", thank you very much.

 

[dangoodin]

Why is there all this news pushing and pushing people to adopt something that is not fully ready? Passkeys replacing passwords or not, I find it very strange all these articles coming out constantly reminding us to switch to passkeys. There was literally one on Ars just last week.

No one is telling anyone to "switch to passkeys." This article is suggestion anyone who wants to use 2FA to give passkeys a try. Again, passkeys aren't an either/or thing. Turning on passkeys doesn't prevent you from using passwords at any time. What, exactly, is strange about an article that encourages people to give passkeys a try?

 

[Schpyder]

How do passkeys make it easier for Google to suspend your account? Isn't it already trivial for Google to suspend your account under the current password system?

I think there's a level of confusion here where people think using a passkey on a Google-synced ecosystem can lock you out of access to those passkeys if your Google account is suspended. This is not the case.. The most that can happen is that sync between devices would be disrupted, and only for passkeys that have yet to be synced. Once keys are synced, the passkeys live on the device in question, in their secure cryptographic storage, and do not need access to the sync backend to be used.

Again, this just speaks to the level of complexity presented by passkeys and the lack of a comprehensive overview of their function. I know some things have been written up, but I'm thinking some more visual guides/flowcharts are probably needed.

 

[okojo]

I tried to create a passkey for Google on my Yubikey. It did not work. Google said that one was created, but Yubico Authenticator only showed my MS passkeys on the Yubikey and Google did not recognize the Yubikey when I tried to use it. No error was given. Nothing seemed to be wrong until I tried to use the Yubikey to sign in. I tried to use my phone's passkey with FIDO Cross Device Authentication and Google Chrome (the QR code thing) and that didn't work either. Just a "Use passkey" prompt on my phone that did nothing when I tapped it. Both devices had bluetooth enabled and were on the same LAN. This is pathetic.

 

[dangoodin]

Dan Goodin: Google passkeys are a no-brainer. You’ve turned them on, right?
Ron Amadeo: Switching [to passkeys] is probably a terrible idea right now

You do have a Ars Technica Slack, right? I'm wondering if there was a discussion there about the current maturity of Google's passkey implementation...

Ars writers are encouraged to be independent thinkers. Ron and I disagree. So what. Is your preference that all Ars writers march in lockstep behind perspective that's mandated by the management?

 

[SJSL]

Personally I'm waiting until 1passsword supports them. I may purchase a yubikey once it does.

Are there any privacy concerns here?

1password feels safer but it no longer supports local backup, so for me it does not feel safe enough.

 

[alastairmayer]

Fair enough. I just updated to the post to add:

From Apple:



The FIDO specs require that whatever syncing mechanism a user elects (be it from Apple, Microsoft, Google, or a third party) it provide end-to-end encryption the way iCloud Keychain and password syncing currently do. This means that the private key is unknown to the cloud provider. They private key resides on the device and can only be accessed by unlocking the device using either a unlock PIN, a fingerprint or face scan.

So like an SSH key, only more complicated. Terrific.

 

[mmiller7]

The app is the Camera. On iOS, pointing the normal camera app at the QR code shows a small yellow label/link saying "Sign in with a passkey". Dunno what Android does, but I'd wager it's similar.


View: https://imgur.com/a/35HQNvh

Screenshot is blocked at work but for Android at least on my LG and Samsung devices you need a 3rd party app to either decode the barcode or act on it (e.g. for magic-coke machines you have to open the Coke app not the Barcode Scanner app to "connect" to the machine you are scanning). I assume this would work similar having to open some authentication app and scan the code within that.

 

[randomuser42]

Now I read a story

It seems like you didn't:

The FIDO specs require that whatever syncing mechanism a user elects (be it from Apple, Microsoft, Google, or a third party)

You probably don't use gmail I would guess, yet that doesn't really impact your opinion on email as a communication standard and service.

Edit: in your defense that might have been added to the article later

 

[OceanGrownKush]

If they're synced using iCloud Keychain - then isn't there, by definition, a way to extract the keys from the device they're created on? Wasn't there an article just recently about new macOS malware that could steal iCloud Keychain items?

The keychain is encrypted

 

[dangoodin]

A question.

If a device with passkeys is fully compromised; does the bad actor now have access to authenticate to all of my accounts everywhere from that device (since he has the passkeys and is passing whatever security that particular device uses)?

I mean: I realize that my Yubikey has a similar problem (if someone physically has it, they can get to all my stuff), so this isn't necessarily new; but still.

If the attacker has the ability to unlock your device they can log in to your account. But by definition a person with the ability to unlock your device (think your iPhone or Android phone) already has access to your account at a minimum, and if you're like many people and sync passwords to that device, they have access to all your accounts anyway.

 

[dangoodin]

That's why I bring a hardcopy of recovery codes with me when I travel.

Why not simply bring a couple Yubi keys with you when you travel. How is bringing a hard copy easier?

 

[dangoodin]

That could be fun...I've been to some government facilities they won't let you bring in anything with wireless functionality or cameras (so no phones, no bluetooth/wifi devices, etc). If you need to log into something, you have to use a post-it note to record the 2FA code from your phone outside and bring the post-it note inside to type in is the "approved" flow (which is a PITA, that ought to be some kind of olympic sport badging thru gates and doors running on stairs to make it back to a computer before the code expires).

I assume government would want something without wireless...though many also seem to ban things that look like thumbdrives (and one I've been to for someone's retirement ceremony actually required I empty my pockets TSA style to be examined entering to check for contraband).

If only there was a device you could use to authenticate with that didn't require wireless communication. And it'd be great if this device could be used in places with strict compliance requirements. If only.

Oh wait, there are Yubi keys.

 

[dangoodin]

Among numerous issues that make me skeptical, the bluetooth requirement is a hard "No".
Disabled on my phone since day 1, and never on my laptop.
Complete dogshit communication protocol, and should never EVER be part of any authentication scheme.

Bluetooth is one way to prove proximity to your device, but it's not the only one.

 

[OceanGrownKush]

Guessing that'd be those terrible, horrible insecure passwords? Hmmm ....

This seems such a terrible idea. If you know what you're doing, it seems neither easier nor faster nor more secure. I would rather not trust all my security to having a second device with me. And I worry about the power border agents have to compel device biometrics, and through that, access to everything you have a login for.

"You've turned them on, right?" Dear gods, the idea of becoming an early adopter for such a revolutionary and disquieting concept where the bugs are yet to be ironed out, is ... nuts. Even if I was excited about this, I would be waiting half a year before turning them on. The risks of unpredicted edge cases are far too great here.

Pure nonsense

 

[dangoodin]

It's just not.

Passkeys are more secure than passwords, and so yes I am using them as much as I can (my primary computer, a desktop, doesn't have any biometrics so I can't use them there),

I'm going to stop you right there. A device need not have biometrics to work with passkeys. Using the unlock password or PIN works just as well.

 

[fung0]

Well, passwords it is then.

I am strongly unwilling to base all my security on any system that is dominated by the likes of Google, Microsoft, Apple, et al.

Unfortunately, the article doesn't explain why passkeys don't work with Linux.

• Is it because Linux distro suppliers (traditionally very security-conscious) 'haven't been bothered' to implement this marvelous new system? This would make me wonder if they've seen a flaw the author of the article has not mentioned.
• Or is it because Linux is by nature antithetical to the passkey concept? This would make me wonder if passkeys implementations are by nature limited to commercial, corporate-dominated OSes and devices.

Currently I use an open-source password manager on all platforms, storing strong keys locally in an encrypted archive. A bit cumbersome at times, but it works just fine, depends on no outside support system, and is more than adequate to stop me from being low-hanging fruit for would-be hacks.

Attempts to convince me that passkeys are somehow vastly better for my needs will have to do a lot better before I reconsider this approach.

 

[Joklers]

Honestly I am going a bit further than that.

As I've been thinking about this a lot lately. This shifts the burden nearly to be entirely client's fault if this gets fully implemented. Database/password breaches are no longer what compromise individuals, but rather a loss of physical device or pressing "allow" on their passkey manager. This is a significant shift in liability if anyone's account were to get popped in the future as they can claim that nothing on their end can prevent this.

And this huge PR push/partial astroturfing claiming it will kill passwords without actually going into said details makes me continue down this rabbit hole.

Not only that, but unless they truly enforce the bluetooth requirement (which I highly doubt because that would effectively block people from granting temporary access to family/friends that are far from them) then as a single factor, this doesn't actually provide the common-person very much security benefits, but provides corporations huge liability benefits.

This does make sense of constant marketing of passkeys. I can't see why so many large companies would be pushing something so obviously half-baked unless it was going to save them a lot of money, and that's a reasonable guess as to how.

 

[SeanJW]

It sounds like you don't understand how asymmetric encryption works. ICloud Keychain syncs the public key. It never sees or touches the private key.

iCloud Keychain does sync the private keys - the public keys are stored on the web sites. What iCloud Keychain does though is encrypt it with keys that apple does not know and cannot recover. When a passkey is synced to the local keychain from iCloud it gets added to the Secure Enclave and thrown away, so it’s no longer accessible except securely. That way it still works with all the public keys on all the sites out there.

 

[Tech17]

Trust Google? Well, that's a pretty tough starting point. Google only really does things (like any for profit) that give it an advantage. It (and others) have attempted to plunder people for data/information, often without telling them (one of its latest nefarious moves was to require Google "precise location" for Google Maps to use your inbuilt GPS on an Android phone - which, of course, gives Google your permission to plunder the ether around you for interesting WiFi networks since precise location requires giving Google unrestrained access to the WiFit interface - and the cell tower location information too BTW).

Then compounding that trust request with trusting Microsoft and Apple as well? Apple is the least worry, of course, since it at least marketed itself and protecting user data/identity/communications. That said, it also leaks user information from time to time.

There's no independent trust authority in the world that I can think of. Passwords it is - nice long ones with no fragments from any known language and that are unique and not reused.

 

[Joklers]

It's a shame this post is so highly upvoted, because it's based on a fundamental misunderstanding. You need to have your phone to scan the QR code exactly once when logging in from a new device. After that you won't be "having to go find your phone. As for having to "go thru some setup for fingerprints," anyone who has set up Face ID or fingerprint scanning on their Mac, iPhone, Android device, or Windows computer has already done this. And if your device doesn't support fingerprint or face ID, you can always simply enter the unlock PIN.

tl;dr: despite all the upvotes, this comment is misinformed.

Doing this once per account per device is still a huge burden.

Also, lots of people haven't set up Face ID or fingerprint scanning, because of privacy and security concerns.

 

[Joklers]

Can you explain how passkeys make it easier from Microsoft et al. to "nuke your account"? Even if these companies could delete the passkey from your device, what exactly would stop you from simply logging in with your password the way you always used to?

The corporations pushing passkeys as a standard are extremely open about the fact that they're trying to remove password support. It's extremely naive to think that people talking about how passkeys are going to kill the password will support both authentication methods.