Passwordless Google accounts are easier and more secure than passwords. Here’s why.

The passkey ecosystem is far from complete, but Google's implementation is now ready to use.

See full article...

 

[SeanJW]

Why not simply bring a couple Yubi keys with you when you travel. How is bringing a hard copy easier?

I travel with a Chromebook that has a platform specific key (so pops up and asks for the device PIN), my phones Passkey (which also works with it), and last resort Ars Yubikey 4 on my key ring. I figure if I’m ever locked out at that point, I deserve to be, and can wait until I get one of the other spare hardware keys out of a drawer at home.

 

[lithven]

If only there was a device you could use to authenticate with that didn't require wireless communication. And it'd be great if this device could be used in places with strict compliance requirements. If only.

Oh wait, there are Yubi keys.

To be fair the government likes to move very slowly. I used to be on a computer system in a room where I couldn't bring in anything with wireless, cameras, or an ability to "store data" (yes that was enforced as arbitrarily as it sounds). So the only option was a long, frequently changing password with some pretty strict rules regarding required characters. It's a real pain in the *** and not in any way more secure since I know most people just used some formula to generate the new password every 90 days or whatever the requirement was. I hope the powers that be eventually move to more modern times but until then it is simply not allowed. Having said that, such systems are completely unaffected by this move to 2FA and passwordless login so I'm not sure why it was brought up as some sort of edge case that needs solved.

 

[dangoodin]

So how should I reconcile Dan's article with Ron's far more skeptical take?

https://meincmagazine.com/gadgets/202...-are-here-you-can-now-switch-to-passkey-only/
"Switching is probably a terrible idea right now, but you've got to start somewhere."

Maybe reconcile it with the fact that reasonable people can have different perspectives on complex matters?

 

[randomuser42]

Why not simply bring a couple Yubi keys with you when you travel. How is bringing a hard copy easier?

The last time I actually did this I didn't actually have yubikeys.

 

[SeanJW]

Doing this once per account per device is still a huge burden.

Also, lots of people haven't set up Face ID or fingerprint scanning, because of privacy and security concerns.

It is a hassle per account, per device. Hence why when everyone other than Apple finally gets sharing done, it’s once per ecosystem per account. I add my Mac to things, my iPad and iPhone come along for the ride for free.

I have a Chromebook, and a Windows laptop with a nano-Key, and a couple of spares. They’re the pains, not the Apple devices that use a PassKey.

 

[SeanJW]

The last time I actually did this I didn't actually have yubikeys.

There’s cheaper FIDO2 alternatives that are fine. Amazon are loaded with them. Make sure they’re certified on Fido.org and you’re good to go.

 

[randomuser42]

To be fair the government likes to move very slowly. I used to be on a computer system in a room where I couldn't bring in anything with wireless, cameras, or an ability to "store data" (yes that was enforced as arbitrarily as it sounds). So the only option was a long, frequently changing password with some pretty strict rules regarding required characters. It's a real pain in the *** and not in any way more secure since I know most people just used some formula to generate the new password every 90 days or whatever the requirement was. I hope the powers that be eventually move to more modern times but until then it is simply not allowed. Having said that, such systems are completely unaffected by this move to 2FA and passwordless login so I'm not sure why it was brought up as some sort of edge case that needs solved.

Government laptops I use (yes, plural, lucky me) all use PIV cards and a pin for authentication so it's not like a yubikey is really needed. What's trickier is if you have an account you want to log into on your government machine which you should probably be careful about doing in the first place. Even then yubikeys present themselves as usb standard keyboards, and pressing the button just makes the keyboard "type." I'd ask IT first to avoid surprises but it should work fine.

 

[saltyfrog]

There are many misconceptions about passkeys...

and with good reason. After reading many articles here and on other sites (Apple, Google among them), and asking multiple questions, I'm left with conflicting descriptions and definitions, poorly worded use cases and no idea whether my questions/concerns are valid or not.

If it's supposed to be "simple", how about starting with a bullet list:
This is what you must have to use passkeys

and go from there.

 

[Jarrex]

No one is telling anyone to "switch to passkeys." This article is suggestion anyone who wants to use 2FA to give passkeys a try. Again, passkeys aren't an either/or thing. Turning on passkeys doesn't prevent you from using passwords at any time. What, exactly, is strange about an article that encourages people to give passkeys a try?

Asking people to try out beta software is similar to asking people to switch as it will cause them to enroll into software that is not ready for mass consumption. By enrolling, people are skewing the metrics of adoption which could further encourage passwords to be deprecated faster. Companies have every incentive to remove passwords because it makes their lives easier, while ignoring the burden that is shifted onto the end user.

 

[Jarrex]

Come on, people. You keep repeating the same fallacies I and others have already shot down. Bluetooth is NOT a requirement and if you think it is, you clearly don't understand how passkeys work and should refrain from commenting further until you educate yourself.

Bluetooth, according to the white paper, is required for non-verified devices. Is this not the case? Can you link to papers more detailed than FIDO's vague white paper?

 

[Joklers]

You don't have to trust the big three to use passkeys. By all means, keep using passwords, but please inform yourself before commenting.

How about the people who are trying to convince everyone to drastically change personal and professional workflows actually provide a clear overview of how this works and some compelling reasons for why we should.

Also - you do realize this is really bad behavior on your part? Readers have very obviously found this piece confusing and lacking in vital details, and pulling out the 'do ur own research' gambit in the comments on your own article is really disappointing. This isn't a forum argument, this is readers telling you we need a better explanation.

 

[SeanJW]

Does that not undermine the security advantages of passkeys? If you have to leave passwords enabled as a fallback, then won't that just be the attack vector?

Certainly could be. So…. If you’re never typing in your long random unique password all the time…. How is it going to leak?

 

[dangoodin]

How is this multistep process easier than filling in a password?

Do you use a Yubi key or phone app like Authy for 2FA? There's a multi-step process when you do, but that multi-step process generally occurs once per account per device. After that, you just log in. Passkeys work the same way.

 

[Laramar]

How do you ensure your recovery codes haven't been copied/compromised during the trip? I wouldn't want such a high-value document anywhere on my person or luggage when traveling, I'd want it locked up in a safe at home.

You could disguise your recovery codes. For example, if your recovery code is 12345, create a fake recipe like:
1 lobster
2 tbsp vinegar
3 cups sugar
4 tbsp soy sauce
5 celery sticks

 

[Penguin Warlord]

I honestly don't know how you're possibly squaring away the length of this article, the explicit statement that this article cannot provide step by step instructions for using passkeys because there's too many complicated variations and flows across platforms, and the requirement of needing two separate devices, with it being "easier".

Passkeys might be more secure but they feel half baked at this point from a UX standpoint. A traditional password manager that autofills a securely generated password combined with a Yubikey for two factor is still a far simpler and easier login process then passkeys.

 

[dangoodin]

If you're traveling and need guaranteed access to a 2FA protected account then bring the codes with you. They can be changed when you get home if you're worried about it. If you're worried an adversary is going to be able to target you specifically and get those codes and your (strong, unique) password simultaneously, well then there's probably not really anything you can do.

Your other alternatives are to bring a device that doesn't need 2FA and leave it in your hotel (and if your adversary is so sophisticated that they are targeting your hard copy codes and have one password already then that's not going to work!) or disable 2FA which is, obviously, worse.

I still don't understand how/why bringing code with you on a trip is easier or safer than bringing a couple of yubi keys.

 

[ardent]

Come on, people. You keep repeating the same fallacies I and others have already shot down. Bluetooth is NOT a requirement and if you think it is, you clearly don't understand how passkeys work and should refrain from commenting further until you educate yourself.

Honestly I feel like the article should have been "Google rolls out service it requires all of its employees to use for systems access -- and it's not alone in requiring passkeys, here are 30 other Fortune 50 companies who use them" and then had a link to an article on the technical details.

Most companies use them in concert with something like a 2FA implementation (auth tokens, as an example) but the point is to move away from passwords as much as possible. Unfortunately Active Directory still has a password field and unless your security office is crazy they won't let to change it to "not required / never changes."

 

[dudeimlost]

Ars writers are encouraged to be independent thinkers. Ron and I disagree. So what. Is your preference that all Ars writers march in lockstep behind perspective that's mandated by the management?

Dan, you live with a title as a senior editor for a medium that exists in era with the borderline between factual report and opinion pieces long gone, with boundary of what is consider journalism have been long stretched.

IMO, this sort of criticism isn't out of line, on a strongly worded subheading for an article that doesn't state a clear distinction between facts being presented and expressed opinion about passkey - latter of which does clearly crashed with opinion of another prominent ARS editor and (apparently) number of readers who's just been indirectly referred to as brainless...

 

[Joklers]

I think there's a level of confusion here where people think using a passkey on a Google-synced ecosystem can lock you out of access to those passkeys if your Google account is suspended. This is not the case.. The most that can happen is that sync between devices would be disrupted, and only for passkeys that have yet to be synced. Once keys are synced, the passkeys live on the device in question, in their secure cryptographic storage, and do not need access to the sync backend to be used.

Again, this just speaks to the level of complexity presented by passkeys and the lack of a comprehensive overview of their function. I know some things have been written up, but I'm thinking some more visual guides/flowcharts are probably needed.

This is exactly the kind of information that needed to be in the article.

This whole article, and Dan's behavior in the comments, is so dramatically below the quality I expect of Ars and Dan. I'm really disappointed.

 

[ERIFNOMI]

No, it’s not. You’re still easily phishable (yeah, I know you think otherwise. Lots of people make that mistake.) and that’s the most popular way to compromise people.



Passkeys are much, much easier to use so I don’t think this qualifies as fatal.

I didn't say passwords are perfectly safe. Of course there are issues. That's why we have 2FA. Good luck doing anything with my phished password without my Yubikey.

Passwordless systems address issues with passwords, the biggest of which is that most people are fucking terrible with passwords. They often use easy to guess passwords, reuse passwords across sites/services/devices, and if they're forced to use a password even marginally better than their normal awful password, they write it down on a post it note.

 

[krimhorn]

It all sounds well and good... right up to the point Google decides to abandon the program in three years.

They won't abandon it but they will slowly evolve it so that it doesn't work effectively with the standard, except the most minimal parts, and make it so that other implementations must support theirs.

 

[Jarrex]

It’s nowhere near as complicated as you’re making it out to be.

Why does everyone that responds with "do your own research" not actually educate people with sources in their response?

If it's so easy then pointing to the diagrams, papers and explanation articles should be easy.

What happens if you try to authenticate to a non-bluetooth enabled device? Do you need a yubikey to do this?

If bluetooth isn't needed, and a physical device like a yubi isn't needed. How are approvals occurring for non-authenticated devices? Is it just a push notification?

If there's a password backup for the underlying passkey storage, how is this any better in the end?

Why are these answers not clearly laid out in any blog post? These should be definitively easy answers.

 

[crepuscularbrolly]

I trust nothing except one-time pads (paper), and dead drops at a pre-arranged (physical) location.

/s

 

[Jarrex]

I didn't say passwords are perfectly safe. Of course there are issues. That's why we have 2FA. Good luck doing anything with my phished password without my Yubikey.

Passwordless systems address issues with passwords, the biggest of which is that most people are fucking terrible with passwords. They often use easy to guess passwords, reuse passwords across sites/services/devices, and if they're forced to use a password even marginally better than their normal awful password, they write it down on a post it note.

And these people that are terrible with passwords are nowhere better with passwordless auth. Which is why the confusion about bluetooth being required or not for unauthenticated devices is absolutely critical to answer.

 

[danann]

How do I delete these "automatically created passkeys" from Android devices?

I don't want it on some insecure devices (e.g. kitchen tablet), same way I don't install my password manager, 2FA and banking apps on it. It's insecure by design as anyone in the house should be able to use it freely.

Automatically creating these on every Android device seems like a bad move from Google.

Website doesn't give an option and searching for "passkey" in Android settings brings up nothing.

 

[dangoodin]

Not only no, but fuck no. Especially not from Google.

I don't understand. If you don't trust Google you must not have an account with them, and obviously this post isn't for you. But for readers who do use Google using a passkey to log in vs. a password gives Google no more control than it already has.

 

[Deleted member 853683]

There's an easier answer than this. The fallback mechanism is this thing called a password. You use it anytime a device is lost, stolen, breaks. You can also use the password simply because you don't like passkeys.

Maybe this is a messaging issue, but isn't the end goal of passkeys to get us to a passwordless world? Or are passwords now being envisioned as a recovery or backup solution? I feel like the way they were sold, passkeys were supposed to totally obviate the need of a password.

I guess if passwords end up being recovery codes, then fair enough, but I'm actually not sure that's any better than what we have now. It might even be worse vs. something like emailing the user a one-time link to get back into their account, since that doesn't require they store anything, it's backed by another layer of security (the email login), and it expires after use or a specific time window.

 

[Fast Turtle]

Just a fancy name for Fingerprinting a computer that includes Biometrics if possible. Kill it before it happens. If I need single Sign-in, I'll use my YubiKey, otherwise I prefer passwords and a PW Manager so I can keep things isolated

 

[AxMi-24]

I think the ARS audience is way ahead of the curve in terms of using a password manager and having their credentials safely in order. Lots of normal people have no real system of keeping their passwords and have a total mess where they end up having to recover the password practically every time they login. Getting those people on to a secure and reliable system would be a big improvement for them. We'll see if passkeys are helpful for that. At this point it sounds way too confusing and incomplete to be something I'd suggest someone like that try.

Except that those same people will have a single device and then be permanently locked out of their entire digital life. How that is better is beyond me. Those of us who understand value of backups will not use anything where you depend on arbitrary decision by google/apple/MS/whoever and will stick to things like U2F keys (much cheaper to have plenty of them and no need for BT or similar).

 

[MosquitoBait]

So glorified SSL client certificates that I've already been using in several places for a long time?

 

[Dark Jaguar]

Well I'm definitely not bothering with biometrics in any case, for a myriad of reasons outside privacy concerns, but I'm interested in this tech. It does seem easier and more secure as indicated, but I still have one big question.

Alright, so I convert to passkeys, create one, make it the only way to log into my account, and then my device is destroyed, completely and utterly, like by a wild hog or something. How do I log back in? Secondly, I am often in an environment where I need to log onto numerous devices with my credentials. Is there a quick painless way to destroy passkeys as I move along from one device to the next? Lastly, I have a number of devices with no biometric reading, no camera, no bluetooth. How do they sync?

I fear the only solution to these is using standard 2FA as a backup, which means once that's hacked it makes the new system entirely vulnerable to the old, which is unfortunate. However, I do genuinely hope there are simple answers I'm overlooking to the questions I presented.

 

[Jarrex]

Well I'm definitely not bothering with biometrics in any case, for a myriad of reasons outside privacy concerns, but I'm interested in this tech. It does seem easier and more secure as indicated, but I still have one big question.

Alright, so I convert to passkeys, create one, make it the only way to log into my account, and then my device is destroyed, completely and utterly, like by a wild hog or something. How do I log back in?

According to FIDO's whitepaper - they work under the assumption that you will have multiple devices to recover each other:

This means that the security and availability of a user’s synced credential depends on the security of the underlying OS platform’s (Google’s, Apple’s, Microsoft’s, etc.) authentication mechanism for their online accounts, and on the security method for reinstating access when all (old) devices were lost. While this may not always meet the bar for use cases that require, say, AAL3, it is a huge improvement in security compared to passwords: each of the referenced platforms apply sophisticated risk analysis, and employ implicit or explicit second factors during authentication, thus giving AAL2-like protections to many of their users. This shift from letting every service fend for themselves with their own password-based authentication system, to relying on the higher security of the platforms’ authentication mechanisms, is how we can meaningfully reduce the internet’s over-reliance on passwords at a massive scale

 

[Jarrex]

Wait, how does turning on passkeys cause people to "uproot their entire digital process"? Once you save a passkey, you are 100% able to continue logging in with a password exactly as you have done in the past. This comment is a prime example of what I mean about criticisms being based on fundamental misunderstandings.

Because the entire purpose of passkeys is to replace passwords. If enrollment is akin to voting, you are voting for passkeys without actually approving of the process.

 

[dangoodin]

I understand that fingerprints and face scans are supposed to never leave the device. But how is this enforced? Is just us trusting a hardware manufacturer to adhere to a standard or are there physical barriers to this?

I used to think webcam "on" indicators we actually in line serially with the webcam so that any power to the webcam would necessarily turn on the indicator. Later it was revealed that they were separate and so a bad actor could turn on the web cam without the indicator being on.

So is it the case that fingerprints, etc, definitely don't leave the device or that they don't leave the device as long as now and forever in the future the makers of hardware choose to make that the case?

Do you use fingerprints or face scans to unlock your iPhone or Android device? If yes, the process used by WebAuthn is precisely the same. If you don't trust using biometrics to unlock your iPhone or Android device, fair enough, but this concern goes well beyond WebAuthn or passkeys.

And even if you do NOT trust using biometrics to unlock your device, you can STILL use passkeys and simply enter the device unlock password.