To celebrate Cyber Security Awareness Month, CyberTalk.org will be publishing dedicated blogs throughout October. Each week, we will be sharing blogs that correspond to four key cyber security behaviors, as identified by The National Cyber Security Alliance. Today’s blog highlights upcoming changes within the password security space. Here’s what Big Tech is introducing into the ecosystem.
Big Tech intends to do away with the traditional password, instead making “passkeys” the hot, new password replacement standard. Passkeys have received support from Google, Apple, Microsoft and the FIDO Alliance. They’re going to be everywhere and soon. Google is currently launching passkey betas on Chrome and Android, and iOS picked up the standard in version 16.
How did we get here? Those in favor of passkeys contend that traditional passwords are insecure. Passwords were originally designed as easy-to-recall secrets that humans could quickly type into a text box. As the number of apps and accounts that required logins massively expanded, password managers sprung up, making it a cinch to save and utilize passwords.
Since then, people have been encouraged to use random password generators, or wild strings of characters in passwords. These impossible-to-remember passwords cannot be reused across portals, making password managers all the more critical. But password manager reliance isn’t always a picnic, and it looks like the password manager revolution might be coming to an end.
Passkeys trade WebAuthn cryptographic keys directly with a website. There’s no need for a person to instruct a password manager to generate, store and recall a long string of numbers and letters. Rather, that will occur automatically. Passkeys use Bluetooth instead of Wi-Fi, and rely on phones, pins and biometric data in order to unlock accounts.
Where we are now
According to Google, passkey efforts have reached a “major milestone.” If you sign up for the Play Services beta, it’s now possible to create and use passkeys on Android devices. In addition, Chrome Canary also now supports passkeys for websites. Stable implementation for Chrome and Android will emerge later this year.
Google has also revealed several details about how this will work. Google’s solution has passkeys stored in the Google Password Manager. A pop-up on your phone will ask the user to select an account, and to then authenticate with some type of biometric. Think a fingerprint unlock, as iOS systems have. Then, the phone will communicate with the client over Bluetooth, and the browser will unlock the passkey, sending it to the designated website.
A gradual transition
The downside of passkeys – While nearly every login system in the world supports showing text-box based logins, passkey support will need to be added to login portals, password manager, websites…etc. The transition will take a little while.
Still confused about passkeys?
Passkeys are considered easier to use than passwords, and significantly more secure. As noted earlier, a passkey is a cryptographic entity that is not visible to the user, and it is used in place of a password. A passkey consists of a key pair. In other words, a passkey is safer than a standard password, and profoundly improves security.
In some ways, passkeys are similar to two-factor authentication. Passkeys are a universal technology, and once the technology is ready to go, it should work across platforms, portals and browsers. As noted previously, Google, Apple and Microsoft have confirmed that they will start to facilitate this type of login in the near future – no date has been set in stone just yet.