Skip to content
PASSKEYS

Google passkeys are a no-brainer. You’ve turned them on, right?

The passkey ecosystem is far from complete, but Google’s implementation is now ready to use.

Dan Goodin | 1.1k
Credit: Aurich Lawson | Getty Images
Credit: Aurich Lawson | Getty Images
Story text

By now, you’ve likely heard that passwordless Google accounts have finally arrived. This alternative for passwords is known as “passkeys.”

There are many misconceptions about passkeys, both in terms of their usability and the security and privacy benefits they offer compared with current authentication methods. That’s not surprising, given that passwords have been in use for the past 60 years, and passkeys are so new. The long and short of it is that with a few minutes of training, passkeys are easier to use than passwords, and in a matter of months—once a dozen or so industry partners finish rolling out the remaining pieces—using passkeys will be easier still. Passkeys are also vastly more secure and privacy-preserving than passwords, for reasons I’ll explain later.

What is a passkey anyway?

This article provides a primer to get people started with Google’s implementation of passkeys and explains the technical underpinnings that make them a much easier and more effective way to protect against account takeovers. A handful of smaller sites—specifically, PayPal, Instacart, Best Buy, Kayak, Robinhood, Shop Pay, and Cardpointers—have rolled out various options for logging in with passkeys, but those choices are more proofs of concept than working solutions. Google is the first major online service to make passkeys available, and its offering is refined and comprehensive enough that I’m recommending people turn them on today.

First, it helps to know exactly what a passkey is and how it works. Apple provides a helpful description here of the technical underpinnings of passkeys:

Passkeys are built on the WebAuthentication (or “WebAuthn”) standard, which uses public key cryptography. During account registration, the operating system creates a unique cryptographic key pair to associate with an account for the app or website. These keys are generated by the device, securely and uniquely, for every account.

One of these keys is public, and is stored on the server. This public key is not a secret. The other key is private, and is what is needed to actually sign in. The server never learns what the private key is. On Apple devices with Touch ID or Face ID available, they can be used to authorize use of the passkey, which then authenticates the user to the app or website. No shared secret is transmitted, and the server does not need to protect the public key. This makes passkeys very strong, easy to use credentials that are highly phishing-resistant. And platform vendors have worked together within the FIDO Alliance to make sure that passkey implementations are compatible cross-platform and can work on as many devices as possible.

The FIDO specs require that whatever syncing mechanism a user elects (be it from Apple, Microsoft, Google, or a third party) it provide end-to-end encryption the way iCloud Keychain and password syncing with browsers currently do (on Chrome, the E2EE password syncing must be turned on). This means that the private key is unknown to the cloud provider. The private key resides on the device and can only be accessed by unlocking the device using either a unlock PIN, a fingerprint or face scan. The private key never leaves the trusted user devices, except as an E2EE blob synced through one of the big three or, soon, a third party such as 1Password.

Google account passkeys support enough platforms that there’s no single way to use them. The way a person who primarily uses Android and Linux logs in will look different and use a different flow than a person who uses all Apple platforms or a person who uses iOS or Android with Windows. There’s no way to list step-by-step instructions for all platforms in one article. This primer instead uses a mix of devices and OSes—specifically a Pixel 7, an iPhone 13, a ninth-generation iPad, a ThinkPad running Windows 10, and a MacBook Air—with the goal of at least touching on the basic workings of all of them.

WTF is this passkey doing on my Pixel?

By the time I woke up on Wednesday—the day Google rolled out passwordless Google accounts—my Pixel 7 already had a passkey automatically created. I didn’t notice until I accessed g.co/passkeys, which is a shortcut to myaccount.google.com/signinoptions/passkeys, the page Google has installed for managing account passkeys. To my surprise, the key was already there. Since my account was enrolled in Google’s Advanced Protection Program (APP), this new key appeared immediately above two-factor authentication (2FA) keys that APP requires for bootstrapping new browsers that log in.

The passkey section of myaccount.google.com showing a passkey had automatically been added to a Pixel 7.

As the image indicates, I was using Chrome on the MacBook Air to access the page even though my preferred browser these days is Firefox. The reason: Firefox does not yet support passkeys on macOS, although that will change, likely sooner than later. I ultimately decided to continue using Safari for the rest of the process because passkeys created using that browser on macOS and iOS are automatically synced through the iCloud Keychain. For the time being, passkeys created with Chrome and Edge on Apple platforms are not.

Accessing the same g.co/passkeys page in Safari, I scrolled to the bottom and clicked “Create a Passkey” and received a dialog box providing a short explanation of passkeys. From there, I clicked the “Continue” button. The next screen that appeared explained I was saving a passkey that would be stored in iCloud. Once I clicked “done,” the passkey section of myaccounts.google.com updated to indicate that a new passkey had been created.

The myaccount.google.com page. From here, click “Create a passkey.”
The myaccount.google.com page. From here, click “Create a passkey.”
Click “Continue” on the next screen.
Click “Continue” on the next screen.
Click “Continue” again.
Click “Continue” again.
Voila. A passkey managed by the iCloud Keychain has been born.
Voila. A passkey managed by the iCloud Keychain has been born.

Don’t fear the QR code

To access the myaccounts.google.com page on the MacBook Air, I authenticated with a password, just as I always do. The passkey that Google automatically created on my Pixel 7, however, gave me an alternative way to authenticate. Instead of entering a password into the login page on the Mac, I could click “Try another way” immediately below and to the left of the password field. From there, I was given the option to use a passkey. I then chose “iPhone, iPad, or Android device,” received a QR code on the next screen, and used my Pixel 7 to scan it. I chose “Passkey,” which was presented immediately below the scan, followed the prompt, and finally provided a fingerprint.

The Google login page loaded into Safari on the MacBook Air. Click on “Try another way.”
The Google login page loaded into Safari on the MacBook Air. Click on “Try another way.”
On the next screen, click “Use your passkey.”
On the next screen, click “Use your passkey.”
Then choose “iPhone, iPad, or Android device” and click “Continue.”
Then choose “iPhone, iPad, or Android device” and click “Continue.”
A QR code will appear on the next screen. Scan it with the Android device that automatically received the account passkey.
The QR code as viewed through the Pixel camera. Press “Use passkey.”
Android will then show a dialog screen. Press “Allow.” On the next screen (which, for security reasons, Android will not allow to be screenshotted), provide a fingerprint scan.

This process is known as cross-device authentication. The QR code is displayed by the device a user wants to log in to and is scanned using a device that already has a passkey. The end result—logging Safari in to my Google account—is precisely the same whether I authenticate with a password or through cross-device authentication using the passkey on my Pixel device.

A quick detour: Careful readers may notice that the images above show the QR code with no redaction or obfuscation. In many cases, it’s highly unsecure to publicly display a QR code used for authentication because anyone else can scan it and access the cryptographic secret that allows the untrusted device to log in. For a couple of reasons, that’s not the case with QR codes associated with passkeys. For one thing, the trusted device scanning the QR code (in my case, the Pixel 7) must be physically close enough to the untrusted device to connect over Bluetooth. That’s a requirement readers would be unable to satisfy. And for another, once the untrusted device (in my case, the MacBook Pro running Safari) connects, the QR code is invalidated.

With a passkey now stored and synced by iCloud, using them on my iPhone and iPad—or any other Apple device connected to the same iCloud account—was a snap. It means I can now use the iPhone or iPad for the same kind of cross-device authentication provided by my iPhone. When both Chrome and Edge loaded on the login page on either the iPad or iPhone, it allowed me to skip the password (i.e., try another way) and instead use the passkey managed by iCloud.

I then fired up Chrome on my ThinkPad and visited the login page for my Google account. This time, I used the newly created passkey available on my iPhone to authenticate. The process was almost identical to the one earlier for using the passkey on my Pixel to authenticate to Safari on my Mac.

Enter your username into the login page.
Enter your username into the login page.
Click “Continue” on the next screen.
Click “Continue” on the next screen.
Select “Use a different phone or tablet.”
Select “Use a different phone or tablet.”
Chrome on the ThinkPad presents a QR code. Scan it with the iPhone and authenticate using Face ID.
Chrome on the ThinkPad presents a QR code. Scan it with the iPhone and authenticate using Face ID.

There are some major parts missing in the passkeys ensemble. For now, Chrome on macOS needs its own local passkey. Firefox support isn’t yet available on macOS, and I couldn’t get that browser to work on Windows 10, either. Things are even more limited for Android. Currently, passkeys synced by Google don’t work with browsers, but again, that will change soon enough. For now, passkeys can be used as an alternative to flows that would traditionally require the user to enter a password on an Android device (for example, when accessing pages, such as rescuephone, that would normally require a password).

ChromeOS has no support for passkeys at all. This is largely due to the way ChromeOS encrypts data at rest residing on the Chromebook itself, specifically the decryption key being tied to the password. Passkeys are backward compatible, so even if someone logs in to Gmail using passkeys on other platforms, they can use their traditional Gmail password when using their ChromeOS device. Most glaring of all, Linux doesn’t work at all with passkeys.

This lack of seamless integration among OSes and browsers is the result of various players being further ahead or lagging behind their peers. Passkeys are a work in progress with many moving parts. Within a year—and, more likely, much sooner—all the pieces should become available and be assembled in a comprehensive way.

One other common complaint about passkeys is that the required Bluetooth connection when doing cross-device authentication is unreliable and can torpedo the login process. This shortcoming came up in a 2019 article I wrote about Google’s embrace of phone-bound security keys for iPhones and iPads. I didn’t know it then, but the thing that was tripping up the flow was that my iOS device and Mac weren’t connecting properly over Bluetooth. Since then, the standards that make passkeys possible have evolved. Now, they have embraced a “hybrid” approach that uses a combination of Bluetooth and data sent via the cloud. The result has been a reduction in what is sent through Bluetooth to the bare minimum. (As noted elsewhere in this post, people who don’t want to use Bluetooth can authenticate with their normal password and then save a passkey.)

Not just easier… more secure

With a basic primer on using passkeys out of the way, let’s turn our attention to the security of passkeys. Passkeys provide a level of protection not possible with passwords. For one thing, they can’t be phished the way passwords can. Passkeys are underpinned with cryptographic keypairs that reside on each device. There’s no way a user can be tricked into revealing the secret key used for authentication. There’s also no known way to extract these keys from the device, and even if there were, an attacker would need physical access to the device for an extended period. As noted earlier, the QR codes used for cross-device authentication can be used only once, and they expire within a short time when not used. The two devices doing this authentication dance must be nearby. An attacker half a world away, or even in the next town, can’t make any use of them.

Passkeys also automatically include 2FA into the flow and can be modified to provide a third factor for those who want it. Compare that with the flow of traditional 2FA, which most often requires the user to have a password and a physical device. Not only is this inconvenient, but one-time passwords provided by many of the physical devices are phishable.

Some passkey skeptics have expressed concerns about entrusting Apple, Google, or Microsoft infrastructure with the secret key. Some of these critics have gone so far as to say that passkeys are a power play designed to give these companies control of authentication secrets not previously possible.

These claims simply aren’t true. The keys are end-to-end encrypted using the same mechanisms (like iCloud Keychain) that millions of people have used for years. It’s impossible for these companies to decrypt the keys stored on their servers, and even if they could, they’d be unable to use them without close physical proximity to the user device providing the second factor of authentication.

For people who still don’t want one or more Big Tech companies touching their passkeys, they will soon be able to rely on companies like 1Password and Dashlane to do it for them. A 1Password representative said in an email that the company expects to roll out that capability in early June. By September, it will be possible to use a passkey to log in to 1Password (demonstration videos for each are here and here.)

Some people complain about the requirement to provide a fingerprint or facial scan because they don’t want their biometrics shared with third parties. In fact, the biometrics never leave the device. Anyone who currently trusts unlocking their device with a fingerprint or face scan has no reason to feel uncomfortable doing the same thing with a passkey. Additionally, those who don’t trust the use of biometrics can simply authenticate by entering their device unlock password (which just like the biometrics, never leaves the device).

Other critics have also complained that the flow of passkey synchronization represents a step back from the way passwords are synched by browsers. Chrome will sync passwords to any major platform that has Chrome installed. Passkeys, by contrast, are currently synced through the OS. As a result, the passkey created for Chrome on macOS is device-bound, meaning it can’t sync to Chrome on other platforms. This design was a conscious decision by the passkey architects, who concluded that OSes provide a more secure means of moving passkeys from device to device.

I don’t think this is much of a regression of the current state of things. The cross-device authentication process involving QR codes is a one-time requirement. Once completed, the user saves a passkey to the browser or platform being onboarded. This doesn’t seem like any more of a hassle than setting up password syncing on a newly installed browser. And in any event, the limitations here are temporary. The ultimate goal of passkeys is seamless integration across all platforms, browsers, and password managers.

As noted throughout this primer/explainer, passkeys are still in a nascent stage that currently prevents them from living up to their promise. Google’s implementation, however, is far enough along that I feel comfortable recommending people use it. Now that I’ve overcome the initial learning curve, I find them easier to use.

Out of curiosity, I removed my Google account from my iPhone and re-added it. Rather than requiring me to enter my password and provide a physical key (the latter step is necessary because I’m enrolled in the Advanced Protection Program) I had the option to use the passkey that was already synced through iCloud (specifically iCloud Keychain). Four single clicks and a Face ID scan later, I had my Gmail account completely restored.

Choose Google.
Choose Google.
Enter the username.
Enter the username.
Click “Continue.”
Click “Continue.”
A sign-in page will appear asking if you want to sign in using a saved passkey. (This dialog box is mostly obscured and appears at the very botton of this screenshot.) Click “Continue.”
The account has now been added to iOS settings.

So go ahead and give Google’s passwordless account logins a try. They’re safer and, I’d argue, much easier to use. And despite the incompleteness of the passkey ecosystem, the integration into the Google authentication process is robust. You can always click the “Try another way” option on the login screen to fall back to traditional password authentication. You can also completely disable passkeys with no penalty. The full passkey vision may not be here yet, but passwordless Google logins are certainly ready for prime time.

Listing image: Aurich Lawson | Getty Images

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
1.1k Comments
Staff Picks
p
pocal
One question I have is: what resilience does this solution offer to SIM-swap attacks?

If one were to have their mobile device hijacked in this way, it seems that the "keys to the kingdom" would be had with no additional barriers for the attacker to overcome, such as the need for a password to access any/all accounts.
The passkey system doesn't use SMS. A SIM-swap attack is pointless. In the case of a phone, the adversary needs access to the physical device, plus its biometric authentication.
p
pocal
Passwords are better than passkeys.
They can be changed, are not based on some item that can be lost or stolen, and are not based on some type of biometry.
The passkey does not depend on biometry. Biometrics are used only to authenticate the user on the local device and never leave it.
W
Wbd
No and absolutely fucking not.

Every single system that seems to be able to store passkeys seems to require you to trust the big three (Apple, Google, Microsoft) not to delete your account without warning. In my case, if Apple deletes my iCloud account and the keychain, I lose access to everything that's secured with a passkey. Compare that to what happens right now, if I destroy my main Yubikey: I go to my bank, show them two forms of ID, use my physical key to retrieve the backup Yubikey from the safe box, and move on with life.

Until and unless there are serious and lasting consequences for companies that provide infrastructure services that act unilaterally, there is no way I will use this. KeyPass/BitWarden can generate arbitrarily strong passwords, you can buy as many Webauthn keys as you want from a variety of vendors. With passkeys, you're one (automated, non-negotiable) deletion away from being locked out permanently from your entire online life.

If you want to give that power to a company, be my guest. I'll wait until it's treated like water or power companies cutting off service for no apparent reason: large and hurting fines.
The context of the article is logging into a Google credential with a passkey. The ‘big 3’ and also several others offer key escrow and recovery, but sites use passkeys directly- if you use a passkey with Best Buy, they will not be checking with Google for example (Unless you use ‘social logons’ of course). In that context, google wiping your account just means if your phone dies things could get dicey. They are basically a yubikey with a recovery option - so slightly less secure because the private key exists in escrow which solves 50% of the problem with yubikeys (the price tag and app support being the remaining pain).
a
alexr
I'm not sure I understand how a workflow that requires
grabbing your phone,
tapping into an app,
taking a picture of your screen, and
tapping what to do with that info...

...is an "easier" operation than entering a password from memory, or auto-completing with a password manager, or copy pasting with a password manager.

There might be other benefits, but by no means is that easier.
If you’re copy-pasting passwords (or typing them from memory, which has other problems at scale), you’re vulnerable to phishing. So passkeys would be a big security improvement for you.
k
karinto
You can do passkeys with FIDO2 hardware security keys like YubiKey. No reason to hate passkeys.

For my Google account, I've re-registered my YubiKeys I was using as 2FA to be passkeys. With 2FA, the authentication was Google password + FIDO U2F hardware key. With passkeys, it's FIDO2 hardware key + key's FIDO2 PIN.
adamsc
adamsc
Passwords are better than passkeys.
They can be changed, are not based on some item that can be lost or stolen, and are not based on some type of biometry.

I would strongly recommend learning how passkeys work. Each of your assertions is incorrect.
adamsc
adamsc
If you write an article to tell us that passkeys are great, and a bunch of people comment that they sound terrible, then something's wrong with the way you tried to convince us.

Or, as we’ve seen in both recent thread, a group of people who read something scary about WebAuthn and didn’t verify the technical details but didn’t let that stop them from repeating the same falsehoods in every story. When you have a W3C standard implemented by most of the industry and recommended by almost all actual security experts, it’s probably not the case that someone randomly confabulating in a message board has uncovered a fatal drawback everyone else missed.
adamsc
adamsc
That's exactly what I said.

I have completely unique and random passwords everywhere because I use a password manager.

No, it’s not. You’re still easily phishable (yeah, I know you think otherwise. Lots of people make that mistake.) and that’s the most popular way to compromise people.

The fatal drawback isn't technical, rather it's about ease of use.

Passkeys are much, much easier to use so I don’t think this qualifies as fatal.
I
Isaacc7
Sigh. Here we go again. The passkeys topic brings out the worst in the comments here and HN. Lots of paranoia and general spreading of FUD.

None of the “big three” tech companies will be getekeepers to your passkeys. Passkeys are held on a device. If you don’t want to sync your passkey via some sort of service then put the same passkey on multiple devices. You only have one device And now it’s gone? That is the same problem as password managers without sync. In the end you will have to reauthenticate with different services just like you would in any similar case of being locked out. Most people will sync their passkeys like they do their passwords. And no, if Google shuts down your account they can’t disable the passkeys you already have on your devices. You’ll lose their sync service but you could then start using another one instead.

Passkeys can’t be phished, can’t be forgotten, can’t be gotten through data leaks, and are inherently unique and secure. Those are really big improvements. They are also easier to use because once they are on your device authentication is simple.
The original post and it’s high upvote count despite containing misinformation is a real problem. Non enthusiasts seeking information about this industry standard could easily get the wrong idea.

You kinda understand why a majority of Ars readership no longer reads the comments.
m
meisanerd
So, after playing with Google's implementation of passkeys for a couple days, it seems to have improved slightly vs when I first set it up on release day.

I'm using a Yubikey for this, not Android or iOS. This means that I am not beholden to Google/Apple to be able to manage my key, nor do I have to worry about my account getting compromised and thus leaking the passkey.

As a point of comparison to the Google Account login, I have also been using this Yubikey to access my Microsoft account for a while now.

Microsoft works across all of the major browsers on desktop (except Safari on MacOS last time I checked). Google seems to need Chrome.

Microsoft has an option below the username field to sign in a different way, then you select Windows Hello or Security Key, put the key into a USB port, enter the PIN, and press the button on top. It will then ask you which account (if you have multiple accounts saved), and you are logged straight in. You don't even need to remember your username/email address.

Google requires you to enter your username/email, then it asks for the key to be inserted. You then need to enter the PIN, and it logs you in.

From a usability perspective, Microsoft is better in that you don't need to remember your email. For the Ars crowd, this is probably a negative. But if you are supporting 70 year old grandparents, the less things they need to remember, the better. I haven't confirmed, but a downside to the MS system is that the Yubikey only supports a specific number of stored credentials, whereas from what I could see in my research, the Google method basically has the Yubikey generate a private key specifically to that site based on an internal private key, your PIN, and some information provided by the site and the browser, every time it needs to run the authentication. Both of them seem to use an internal private key specific to the Yubikey, your PIN, some information about the domain provided by the browser, and specific information provided from the site you are visiting to perform the handshake, which prevents MITM attacks from being successful as they can't spoof all of that data.

I'm not sure what is missing in Firefox for the Google implementation vs the Microsoft one, why it doesn't support the new passkey system. Or is it just Google not requesting the passkey because Firefox hasn't implemented the Bluetooth portion, which has the side-effect of not supporting Yubikeys/hardware tokens because Firefox isn't being asked for it by the Google login site.

--

If you lose the passkey and do not have a backup passkey, the security fallback is to log in the way you were logging in before the passkey. So usually password + OTP. While this means the site does support a less secure authentication system, one advantage is that you aren't using the password on a regular basis, so it is less likely to be leaked or intercepted by a phishing/MITM attack.

--

From a security perspective, you can view passkeys as a password wallet with limited site support. If using a Yubikey, the wallet is a hardware device in your pocket, protected by a PIN. If using the Android/iOS passkey, the wallet is synced in a cloud system and protected by your account password + biometrics. If you lose the device, it is similar to losing the password file.

Once they get all of the kinks figured out, this has the potential to change a lot of things in the security landscape, as non-security-conscious individuals will no longer be resisting secure password requirements or having to figure out how to properly use a password wallet, and how to access/sync it across multiple devices. By basically becoming a password wallet, the passkeys generate really secure, really random passwords for every site they are used on, and are built with phishing-resistance in mind.
adamsc
adamsc
How is this multistep process easier than filling in a password?

Well, think about what filling in a password actually means. If you don’t use a password manager, you have to remember and type in a password – and since each site has different rules about things like rotation, you have to periodically memorize new ones. If you use a password manager, you don’t have to remember the password but you do have to deal with various auto fill bugs and when changing passwords you have to adjust the more secure password generated by your manager to whatever weakening rules most sites enforce, and make sure that you save the updated password everywhere and don’t end up with multiple copies or problems around failed update workflows. For example, I use 1Password and not infrequently hit something like where I save a new password but the site had different validation rules than their form claimed so I have to edit it but 1P doesn’t pick up the change & save it unless I manually edit its database. You can also get similar problems with big companies migrating around so the password I have saved for www.bigcorp.com is wrong and I have to pick www2 until I manually merge that entry or delete the old one.

In contrast, here’s what a passkey is like to register or use:

1. Hit enter or tap to confirm I want to use my passkey on that site
How can this get downvoted? It’s 100% true.

It’s who, not what on the front page. No love for Google on the front page, such that their support has turned the crowd against an industry standard.

It’s silly.

Again, readers, don’t pay these commenters any attention.
Schpyder
Schpyder
With passkeys:
Attacker not only can get access that has default access on the phone (that doesn't require re-auth).
But also, can get access to any passkey enabled account and auto-add it as a trusted device via bluetooth to said phone.

Using a passkey on - or adding a passkey to a new device via - a verified device requires a re-auth. Whether it's via biometrics or device unlock code or Yubikey PIN. It's not just "if passkey, account permanently unlocked."

With password manager:
Attacker has access to device and apps that do not natively sign-out of said device.
Attacker cannot access password manager because said manager has a secondary authentication password.

In the (common) case where the password manager is unlocked via biometrics, there is no secondary authentication, beyond what a passkey would also require.

Nothing here reads as qualitatively different to me except in (significantly inconvenient) edge cases.

Still not thrilled about the requirement of an additional device as I clear cookies on all of my devices every few days and having to use another device every few days is inconvenient. But I can live with that.

OK, to be clear. You only need an additional device to basically provision a new device with its own passkey. Once that has been done, you will not need the secondary device again, but will instead use whatever cryptographic unlock the new device offers.
Schpyder
Schpyder
Using a password should not be the answer to something meant to replace passwords.

This is kind of ridiculous. How else would you authenticate to an existing service in order to update your authentication mechanism? Aside from the already-discussed QR-and-bluetooth method. And while the attack surface on the server side isn't necessarily reduced by enabling rather than requiring passkey login, it significantly reduces the attack surface client-side, as you're strictly engaging in a key exchange, enabled by OS-level authentication. And that's a win for everyone.

If you're to the point that you can't trust any of your OS's security features, you might as well just throw your computing devices away and go live on a tropical island or something. At some point some level of trust has to be given to some bit of software.
f
fvgfvghvgv
I do a factory reset on my phone and tablet roughly every 90 days.
I reformat the os drive of my computer, and install a new distro roughly every six months.

If I understand the way passkeys authenticates things, I'll lose all of my accounts within six months.

No thanks.
You won’t lose any accounts and you definitely have not understood the way passkeys authenticate.
S
SeanJW
There is a lot of confusion here, I think because an entire tech stack has been dumped on us and presented as a fait accompli. Let me, as an ignoramus, try to deconstruct it by analogy with what I do understand: SSH key pairs. I invite others to pick holes in what I get wrong.

1. Public/private authentication keys. This works roughly the same as SSH. The website only knows your public key, and you sign messages to prove you hold the private key.

2. Anti phishing protection. Keys are specific to a site, so a phishing site gets a different key. SSH has host keys for this, I assume keypass uses something to do with TLS host keys? Your browser uses that to select which key to use? Or just by DNS name?

3. Means of unlocking the keys to prove the right user is using them. SSH has passphrases, I assume this is where the biometric / Bluetooth thing comes in? SSH can also unlock keys with smartcards, and so I assume the biometric is a bit like another unlock mode?

4. Syncing keys between devices. This is presumably where cloud ‘ecosystems’ come in, like iCloud and Chrome password sync? For SSH there’s no support, but you can cook up your own with rsync or whatever?

What did I get wrong?

If the above is broadly right, I could imagine building an open stack that basically does the same as SSH does using a pile of files in ~/.ssh and rsync to move between devices. That is the ‘bicycle’ approach where all the moving parts are exposed and easy to understand what’s going on.

It's not just dumped on people - this is an update to FIDO2, itself the second version of the standard. U2F was FIDO1; this is CTAP 2.2 ([edit: Corrected from my WAG of 2.4 that was wrong, thanks Still Incorrect!]), part of FIDO2/WebAuthn. This is really nothing complicated as that goes.... they've loosened up the Authenticator requirements so that the private key can be (must be...) copied securely, and added some Javascript features to make life easier. Passwordless logins? Always been possible with FIDO2. That's the neat part of it - FIDO1 could only be MFA. Adding a private key to your browser stored in the TPM or secure element? Always been possible, and was previously implemented in Chrome, Firefox and Safari. What's new is that it can be synced, and accessed via the BT/QR rigmarole. Previously, it was referred to (and flagged to web sites) as "platform specific keys", as opposed to the portable ones which were hardware devices. Now it's PassKeys.
adamsc
adamsc
Since the entire point of the passkey system seems to be to get rid of passwords, let me list some of the benefits of passwords:
  • they are simple enough to understand for anyone mentally capable of operating an electronic device
  • they are easy to remember if you make any effort at all and regularly use them
  • they work on all operating systems out of the box
  • they don't require Internet access (some systems are offline for a good reason)
  • they don't require the cooperation of any third party
  • they don't require the presence of a smartphone or other gadget
  • they don't require Bluetooth, WiFi, cameras or batteries
  • they can - in an emergency - be stored without the need of electricity
  • they can be easily transmitted to another person without the use of any device
  • if you are not handicapped and not using a smartphone, authenticating with a password takes only a few seconds

Your points #1, #2, and #10 are just wrong – ask anyone who works in tech support how often they have to do password resets because someone forgot their password, left their caps lock key on (or mispositioned their hand on the keyboard), or fudge-fingered it enough times to get locked out. Yeah, yeah, I know you personally always hammer it out perfectly but trust me, anyone who gets helpdesk calls has a … less optimistic … view of humanity. I'll also add that I support a lot of blind users and password entry massively sucks for them because many sites have complexity requirements which are hard for screen reader users and if you aren't a proficient touch-typist saying it out loud isn't great. That's a niche but it's one that many people building authentication systems are legally required to support well, too, and it's one of the reasons why I'm interested in the technology since “Do you want to login with your passkey?” “Yes” is at least one order of magnitude faster and easier than any form of password + MFA for many those users.

Point #3 is true of WebAuthn MFA but always passkeys – something like a Yubikey works anywhere you have USB/NFC but you might need to set a PIN or use their biometric series keys for passkey implementers like Google.com which require more than a simple tap.

Points #5, #6, #7, and #8 are also true of all forms of WebAuthn – both MFA and passkeys. Point #4 is true except for the first time you enroll a device when synchronizing an existing key. After the first time you've synchronized your keys, you don't need a network connection. If you don't want to sync, you can also buy a couple Yubikey biometric keys which again work fully offline anywhere you have USB or NFC.

That leaves #9, which is bad practice and should be avoided if at all possible. Modern systems have things like role-based authentication, where people never share passwords but multiple people are allowed to assume a given role, or things like legacy or delegated accounts where you again never share passwords but give one or, even better, multiple people required in combination the ability to do something like reset your password or gain control of your files.

Just because something is new and you haven't learned how it works doesn't mean it's bad or to be avoided. Passkeys are a big change for most of us – .gov excepted since PIV/CAC goes back to the previous century there even if few other places adopted it – but they have a number of usability improvements in addition to the security benefits, and there's a clear path for building out some of the missing parts (e.g. I really want the ability to sync an Apple / Google passkey to a Yubikey so I could drop it in my safe just in case).
S
Secondfloor
It obviously must be available not only during syncing, but also during authentication, since it's used for it. And it also has to be available during initial registration.

And that's what I'm trying to explain to you: It would be easy to authenticate with an existing device, and use that device to add an other public key, which is generated on an other, new, device, and sent to the old device by some means. For example, I could create a new secret key / public key keypair on my desktop machine, send the public key to my laptop, log in with my laptop, and add the desktop public key. I do similar things with SSH all the time.

There's no technical hurdle here. If that's not possible with passkeys, then that's by choice.

The private key is not accessible. Why not look it up instead of repeating a falsehood over and over.
n
nbs2
As someone capable enough to understand most articles on Ars but without a true technical background, I think the biggest obstacle to general adoption is going to be getting people to understand what is going on. I read the article, twice. I read through the top comments and some of the others.

And now I’m more confused than I was before I started - I’ve forwarded the article to my CS major/better half to explain things but that may not be enough.

Passwords are easily digested. 2FA is easy to explain. Passkeys kind of make sense, but just when I think I might get it, I read the next paragraph and get more lost.

Heaven help my siblings and parents.
Thank you for saying that. The responses from Dan and others (for example, @Wbd's promoted comment quoting mine) is based on a fundamental misreading of the comment.

I don't want to trust my OS provider (Apple in my case for both mobile and desktop devices) with passkeys and the response is repeatedly "But yOu alREaDy trUST GOoGLe WITH YOur PaSswoRD." Yes, fine, I enter a long random password from BitWarden/KeePass, and plug in my Yubikey and press the button. At no point is it reliant on my OS provider.

And sure, right now there's the option to not use passkeys and to use a password as before, but the entire tech hype train is on its way to "NO MORE PASSWORDS PASSKEYS FOR EVERYONE" station and if I say, "but hold on, if I get locked out of every other account because my OS provider decides it doesn't like me, what happens" I get called a troll and misinformed. There's also so many edge cases I can think of where this doesn't work and instead of saying, "yeah, those are valid concerns in the passkey-only future that we want," there's this sustained criticism of any questioning.
You do realize both 1Password and Bitwarden are working on passkey support, right?

1Password has gone as far as to say that passkeys are "the future of authentication": https://www.future.1password.com/passkeys/
Prev story
Next story