Passwordless Google accounts are easier and more secure than passwords. Here’s why.

The passkey ecosystem is far from complete, but Google's implementation is now ready to use.

See full article...

 

[adamsc]

If you write an article to tell us that passkeys are great, and a bunch of people comment that they sound terrible, then something's wrong with the way you tried to convince us.

Or, as we’ve seen in both recent thread, a group of people who read something scary about WebAuthn and didn’t verify the technical details but didn’t let that stop them from repeating the same falsehoods in every story. When you have a W3C standard implemented by most of the industry and recommended by almost all actual security experts, it’s probably not the case that someone randomly confabulating in a message board has uncovered a fatal drawback everyone else missed.

 

[Jarrex]

The cynic in me wants to lean towards marketing at least from Google's end. I feel like I see less explanations of the mechanics of Passkeys and more Google shoehorning the phrase "death of the password" into as many news releases as possible.

Honestly I am going a bit further than that.

As I've been thinking about this a lot lately. This shifts the burden nearly to be entirely client's fault if this gets fully implemented. Database/password breaches are no longer what compromise individuals, but rather a loss of physical device or pressing "allow" on their passkey manager. This is a significant shift in liability if anyone's account were to get popped in the future as they can claim that nothing on their end can prevent this.

And this huge PR push/partial astroturfing claiming it will kill passwords without actually going into said details makes me continue down this rabbit hole.

Not only that, but unless they truly enforce the bluetooth requirement (which I highly doubt because that would effectively block people from granting temporary access to family/friends that are far from them) then as a single factor, this doesn't actually provide the common-person very much security benefits, but provides corporations huge liability benefits.

 

[randomuser42]

than potentially copied sheet with all your services/usernames/passwords

Now you're putting words in my mouth, and you know it too because you didn't do it in your original response. I guess it occured to you that 2FA codes are useless by themselves and easily changed.

the rest stays in my wallet and can easily be replaced if compromised.

It's a lot harder to change your PII then it is to revoke and change 2FA codes

 

[Deleted member 853683]

I have to wonder how much more secure it is in practice. It seems to me that it's a pretty complex system with lots of moving parts. The more complex something is, the more likely there are security issues.

I get the theoretical improvement, but the devil is in the (implementation) details. I think I'd rather wait and see than jump in with both feet.

Maybe.

I don't have a lot of security concerns with the standard (it's mostly the UX for recovery and migration that is the issue IMO). But more moving parts definitely makes passkeys more difficult to implement for service providers. Google can do it, and I'm sure other big tech companies won't have major problems, but what about local businesses, fan forums, government services, and others who roll their own?

I guess the "consolation" there is that despite the "100% secure" badges that tend to get plastered on those sites, there's already no guarantee anyone is doing a good job with security. So a buggy passkey implementation might not actually be any worse than what they're already doing.

 

[ERIFNOMI]

If you use strong passwords, never use the same password (or an obvious variation like your dog’s name + the company name) on multiple sites, and never get phished, you’re fine if slower and less convenient. Unfortunately, that doesn’t work in practice - the reason why Apple, Google, and Microsoft implemented this is that they have literally millions of users who were compromised after failing at least one of those requirements.

That's exactly what I said.

I have completely unique and random passwords everywhere because I use a password manager. Normal people stick to one god awful password or password formula that inevitably gets leaked and now every account they have is exposed.

 

[adamsc]

Guessing that'd be those terrible, horrible insecure passwords? Hmmm ....

This seems such a terrible idea. If you know what you're doing, it seems neither easier nor faster nor more secure. I would rather not trust all my security to having a second device with me.

The fallback if you lose access to every device is a recovery code. That’s better than a password because it’s strong, unique, and can only be used once.

And I worry about the power border agents have to compel device biometrics, and through that, access to everything you have a login for.

They can also compel passwords (or use the CCTV recording they got of you entering them). In a border crossing situation, your choice is unlock the device or head home if they don’t jail you. There is no magical option where they just give up because you outsmarted them - the solution is not to travel there or use a disposable device without any data you can’t afford to lose if you visit a country like China or the United States.

 

[BasP]

The way a person who primarily uses Android and Linux logs in will look different and use a different flow than a person who uses all Apple platforms or a person who uses iOS or Android with Windows. There’s no way to list step-by-step instructions for all platforms in one article.

Well, if that isn't a recipe for disaster.

 

[tjukken]

Or, as we’ve seen in both recent thread, a group of people who read something scary about WebAuthn and didn’t verify the technical details but didn’t let that stop them from repeating the same falsehoods in every story. When you have a W3C standard implemented by most of the industry and recommended by almost all actual security experts, it’s probably not the case that someone randomly confabulating in a message board has uncovered a fatal drawback everyone else missed.

The fatal drawback isn't technical, rather it's about ease of use.

 

[adamsc]

Among numerous issues that make me skeptical, the bluetooth requirement is a hard "No".
Disabled on my phone since day 1, and never on my laptop.
Complete dogshit communication protocol, and should never EVER be part of any authentication scheme.

Good news, it’s still not a requirement and never has been.

 

[Schpyder]

Well, let's see:

My home desktop has no bluetooth hardware at all. This could be solved pretty easily, but given that my work laptop has BT blocked by IT, why would I bother?

This feels like one of those solutions that was designed by and for Big Tech company engineers or WFH freelancers who can do anything they like with their hardware, not something that needs to be compatible with onerous corporate or governmental IT policies.

 

[BasP]

The fallback if you lose access to every device is a recovery code. That’s better than a password because it’s strong, unique, and can only be used once.

Where do you keep those recovery codes and how do you get to them? Especially if, say, you drop your phone in a well while abroad?

 

[Jarrex]

Good news, it’s still not a requirement and never has been.

This is why everyone has issues with all these articles. Some claim bluetooth is required for proximity verification, others say it isn't. The "official" documentation is severely lacking, the password manager documentation doesn't actually state one way or the other. This seems like an incomplete integration.

 

[Geebs]

Or, as we’ve seen in both recent thread, a group of people who read something scary about WebAuthn and didn’t verify the technical details but didn’t let that stop them from repeating the same falsehoods in every story. When you have a W3C standard implemented by most of the industry and recommended by almost all actual security experts, it’s probably not the case that someone randomly confabulating in a message board has uncovered a fatal drawback everyone else missed.

It’s a matter of perspective. Security experts worry about a third party getting into their stuff. Non-security experts worry about accidentally irreversibly encrypting all of the family photos.

 

[Isaacc7]

Sigh. Here we go again. The passkeys topic brings out the worst in the comments here and HN. Lots of paranoia and general spreading of FUD.

None of the “big three” tech companies will be getekeepers to your passkeys. Passkeys are held on a device. If you don’t want to sync your passkey via some sort of service then put the same passkey on multiple devices. You only have one device And now it’s gone? That is the same problem as password managers without sync. In the end you will have to reauthenticate with different services just like you would in any similar case of being locked out. Most people will sync their passkeys like they do their passwords. And no, if Google shuts down your account they can’t disable the passkeys you already have on your devices. You’ll lose their sync service but you could then start using another one instead.

Passkeys can’t be phished, can’t be forgotten, can’t be gotten through data leaks, and are inherently unique and secure. Those are really big improvements. They are also easier to use because once they are on your device authentication is simple.

 

[tjukken]

Passkeys are much, much easier to use so I don’t think this qualifies as fatal.

How is this multistep process easier than filling in a password?

 

[Jarrex]

No, it’s not. You’re still easily phishable (yeah, I know you think otherwise. Lots of people make that mistake.) and that’s the most popular way to compromise people.



Passkeys are much, much easier to use so I don’t think this qualifies as fatal.

Passkeys without bluetooth proximity are going to be just as easy (if not easier) to phish due to push notification authentication.

 

[sykosoft]

You’ve turned them on, right?

No, nor will I. Despite the concept of it being inherently "more secure", it's also inherently dangerous for your life outside of technology. Consider the legal ramifications of doing so, and really anything, before proceeding! Some may suggest that this is mere paranoia, or "do you have something to hide?", but, keep in mind that the Supreme Court has upheld that you cannot be compelled to provide something you know, but that you can be compelled to provide something you have, and something you are.

Essentially, police, and other authorities can compel face unlock and fingerprint unlock (biometrics), but cannot force or compel you to provide your password.

Therefore, your accounts, devices, etc, would now be subject to fully lawful search (even under amendments supposedly preventing this), and would have the capability to do so under many circumstances, including within 100 miles of a border.

There's no situation in which I would be happy to provide this.

If you use biometrics on your mobile devices, get familiar with its LOCKDOWN feature. Both iOS and Android provide this functionality. And good news, it's still entirely possible to record while a device is in lockdown (on both platforms).

No, unfortunately, I won't be enabling this unless it comes with the ability to provide another factor in addition, such as a pin, pattern, or photo unlock.

EDIT: Added a note about legal ramifications.

 

[SeanJW]

A question.

If a device with passkeys is fully compromised; does the bad actor now have access to authenticate to all of my accounts everywhere from that device (since he has the passkeys and is passing whatever security that particular device uses)?

I mean: I realize that my Yubikey has a similar problem (if someone physically has it, they can get to all my stuff), so this isn't necessarily new; but still.

No, they’re supposed to be stored in secure storage such as a TPM or Secure Enclave that requires either a PIN/passcode or biometrics to unlock.

With a Yubi key (and most FIDO2 authentications), you can also require a PIN/passcode to use it too, so just getting it doesn’t have to be catastrophic.

 

[adamsc]

This is why everyone has issues with all these articles. Some claim bluetooth is required for proximity verification, others say it isn't. The "official" documentation is severely lacking, the password manager documentation doesn't actually state one way or the other. This seems like an incomplete integration.

It’s only a problem in that the comment sections are full of people repeating FUD without verifying any of the details (similar to the urban legends about biometrics).

Passkeys work on any device you’ve enrolled. Each device has a key which can be used to login and that works even if you’re in airplane mode on an isolated network.

Where Bluetooth comes in is one option when you want to use a system which does not have the passkey but you have something like a phone which does. You could login on, say, a public computer by using your phone to answer the challenge for that computer, where Bluetooth prevents an attack from occurring at more than a short distance from your phone (I.e. some guy in Belarus trying to phish you can’t do local Bluetooth and even if they could, the response timing check would fail). This is a convenience for that scenario but if that’s not something you do, you don’t need to think about it.

 

[Lunar Ronin]

Absolutely not. The requirements of an additional device and biometrics means that I will never use passkeys. I will stick with passwords and PINs where required. Biometrics over my dead body.

 

[juancn]

How is this easier? It's like 10 steps to first login. It's mindbogglingly complex set of decisions with no clear consequences to an average user. Only an IT or security person would think this is easy.

A password is a lot easier even if it's insecure. The mental model is way simplet.

 

[BasP]

Every service I've used that does recovery codes (usually required when enabling TOTP 2FA), basically yells at you HERE ARE YOUR RECOVERY CODES, SAVE THEM SOMEWHERE SAFE AND PRINT THEM OUT AS HARD COPY when you get to the point of setup where they'd be activated. This is not something, I think, that is actually worth worrying about people overlooking.

Talk about overlooking. "Somewhere safe" means "somewhere only I can get to after authenticating". This is like saying that I need to keep the spare key to my safe in my safe.

Also, how is the hard copy going to help when I'm abroad and can't get to it?

 

[crepuscularbrolly]

I'm not sure having to go find your phone, find the app to scan the QR code with, I guess you'd have had to go thru some setup for fingerprints...and hope it accepts your fingerprint (I have issues with fingerprint unlock on the devices I've tried it, such as after working in the yard or on the car it won't accept until my skin heals fully for several days).

That doesn't fit what I would call "easy"

The app is the Camera. On iOS, pointing the normal camera app at the QR code shows a small yellow label/link saying "Sign in with a passkey". Dunno what Android does, but I'd wager it's similar.


View: https://imgur.com/a/35HQNvh

 

[Deleted member 853683]

Honestly I am going a bit further than that.

As I've been thinking about this a lot lately. This shifts the burden nearly to be entirely client's fault if this gets fully implemented. Database/password breaches are no longer what compromise individuals, but rather a loss of physical device or pressing "allow" on their passkey manager. This is a significant shift in liability if anyone's account were to get popped in the future as they can claim that nothing on their end can prevent this.

And this huge PR push/partial astroturfing claiming it will kill passwords without actually going into said details makes me continue down this rabbit hole.

Not only that, but unless they truly enforce the bluetooth requirement (which I highly doubt because that would effectively block people from granting temporary access to family/friends that are far from them) then as a single factor, this doesn't actually provide the common-person very much security benefits, but provides corporations huge liability benefits.

I think it's simpler.

Big tech wants to kill passwords because it is a significant cost. Compromised accounts represent a major customer service issue. It stops people using their services, it makes people lose their important and often highly personal data, and it's expensive and time consuming to fix. It's why Google, Facebook, etc. are so keen on pushing 2FA and want to make it as close to mandatory as possible. Current 2FA significantly reduces these security issues - but it also comes with a host of UX problems and compromises. In the long run, passkeys eliminate a lot of those drawbacks while also providing a better UX.

Remember that we've been using passwords since basically the dawn of computing - yet we still routinely see major mistakes made in their implementation, even boneheaded stuff like companies storing them in unsecured plaintext databases. But even then, it was a couple of decades until we had really got a lot of the issues sorted out, and truly good password managers emerged. Passkeys are going to take some time to sort out the issues as well.


Also, come on, the accusations of astroturfing are just a little bit ridiculous. You do know how tech news coverage works right? Why is a tech news site covering a new technology suspect? Isn't that why you're here?

If I do have an issue with the reporting around passkeys, it's the suggestion that they are now ready for primetime. I think they're neat and possibly worth using for the types of people who are inclined to read tech news about login security... but average users, today, not so much. At the same time, they also won't get there if people don't know they exist, so there's definitely benefit in getting the word out.

 

[BasP]

How is this easier? It's like 10 steps to first login. It's mindbogglingly complex set of decisions with no clear consequences to an average user. Only an IT or security person would think this is easy.

A password is a lot easier even if it's insecure. The mental model is way simplet.

Also if you can remember your password, it will always be available to you, no matter the location or situation.

 

[Longmile149]

I did not understand just how big a gap the digital divide was until I started working with the people who live on the other side of it. I work in a library helping people who are old, poor, homeless, or otherwise just on the wrong side of the divide with tech problems.

I think a lot of Ars folks would be shocked how often people who have been left behind on this stuff have to recover their accounts. I’ve had a lot of people come in and when I suggest turning on 2FA they immediately object because the last time they did that they lost access to the second account and then the thing they were trying to protect is gone forever.

A lot of people will choose being less secure if it means they can be reasonably sure they’ll still be able to access their accounts after they switch phones or whatever.

Hell, we have a small number of patrons who are very old or have TBIs that we keep a locked file for in the rare event they need to come in and access an online account.

None of this passkey stuff sounds like it’s going to make their lives any easier. It honestly sounds like it’s gonna make my job harder as it spreads.

I hope I’m wrong.

 

[Jarrex]

It’s only a problem in that the comment sections are full of people repeating FUD without verifying any of the details (similar to the urban legends about biometrics).

Passkeys work on any device you’ve enrolled. Each device has a key which can be used to login and that works even if you’re in airplane mode on an isolated network.

Where Bluetooth comes in is one option when you want to use a system which does not have the passkey but you have something like a phone which does. You could login on, say, a public computer by using your phone to answer the challenge for that computer, where Bluetooth prevents an attack from occurring at more than a short distance from your phone (I.e. some guy in Belarus trying to phish you can’t do local Bluetooth and even if they could, the response timing check would fail). This is a convenience for that scenario but if that’s not something you do, you don’t need to think about it.

Where are you getting this information?

Any of these articles should link to actual documentation because otherwise it's just statements that are not verified at all. I try googling for the workflow or specs and literally all search results just append absolutely nothing other than Google's blog and associated news press bragging about how it will kill passwords without the actual tech docs.

 

[memphisbob]

Don't bother to tell me how to do this until you tell me how to recover if something goes wrong. And recovery better be foolproof, because it's way easier to be stupid sometimes than to be smart every damned time.

 

[Zukunftsweber]

Thing is, Google already had password-less login to some extent.

I didn't remember my Google password when I set up my new phone, so Google asked my other logins if I could log in, I said yes, and I was in.

 

[4XjrPz6t]

I imagine all the desktop Windows computers used in businesses and government would need a whole lot of Bluetooth dongles to implement this.

And what about all of the hospitals and manufacturing plants that rely entirely on thin clients via Citrix or RDP, where there is zero bluetooth support back to the host PC?

 

[SeanJW]

Well, you just log into Find My, using your passkey, to locate/remote wipe your phone and….. oh

Actually you just get your replacement phone, restore it from iCloud backups (which doesn’t require passkey, but whatever methods you set up with Apple), and then sync iCloud Keychain … which requires your old/lost devices unlock code worst case. Apple doesn’t know that, but you do. Once that’s done, you’re back in business….

 

[peragrin]

Ars, what I never see addressed in these articles are mixed use and multi use devices.

I use an Android phone. I use chrome I have office 365 on my phone for business and only business. How can I authenticate just business without giving up personal info. Or the other direction

At work I use three browsers. Firefox if I look something up personally, chrome for our erp system, and edge for work related web lookups each one gets different logins and stores different logins.

If you sign into a single ecosystem these systems work okay. Until they get canceled

 

[Bigdoinks]

While Dan Goodin does a great job explaining the privacy and security benefits of Google Passkey system I must freely admit I do not trust Google about anything whatsoever. Especially, the Google Cloud.
I have to ask myself how has or will Google monetize their passkey system?
I can only assume we will pay with our private personal data put on sale, I mean securely shared with trusted third parties for a fee or as required by law, or corporate policy to improve the world or just because they feel like it.
I would be willing to pay a reasonable ONE TIME fee for a passkey authentication system that is truly, demonstrably beyound all reasonable doubt, private and secure.

They charge websites/developers for "serverless" authentication service. It's not cheap either. After 10k verifications/mo free, it costs something like $0.01-0.05 per login.

 

[storm2k]

Sorry, this system isn't ready for Prime Time yet. Wake me when it is and it's seamless and I don't have to rely on Chrome to do it (I deeply dislike Chrome and refuse to use it except when absolutely necessary). Hopefully Mozilla can get an implementation working without their usual issues (which are much more around disagreements from people steering things than from technical issues in this day and age).

 

[SeanJW]

Dan Goodin: Google passkeys are a no-brainer. You’ve turned them on, right?
Ron Amadeo: Switching [to passkeys] is probably a terrible idea right now

You do have a Ars Technica Slack, right? I'm wondering if there was a discussion there about the current maturity of Google's passkey implementation...

Much as I prefer the idea “yes, go ahead!”, Google products are a tangled mess and they’re all moving forward with it at their own pace. It’s not for the faint hearted.

 

[DCRoss]

Still not enough... you'll also need something borrowed and something blue. You'll need an old priest and a young priest. You'll need a raven's egg, blood of a hen, eyeballs of a crocodile and resticles of a newt.

That's a good start, but unless you have at least two named authentication methods who have a conversation about something other than a man you're not going to be secure.

 

[Schpyder]

keep in mind that the Supreme Court has upheld that you cannot be compelled to provide something you know, but that you can be compelled to provide something you have, and something you are.

Point of order: this is not actually true. SCOTUS has specifically avoided answering that question. As such, we now have a mish-mash of conflicting state and federal district decisions allowing or blocking compulsion to reveal passwords.

 

[BasP]

Actually you just get your replacement phone, restore it from iCloud backups (which doesn’t require passkey, but whatever methods you set up with Apple), and then sync iCloud Keychain … which requires your old/lost devices unlock code worst case. Apple doesn’t know that, but you do. Once that’s done, you’re back in business….

Doesn’t that make passkeys kind of useless? I mean, now you have a non-passkey attack vector.