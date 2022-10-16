Last spring, Google, Apple and Microsoft joined forces to end passwords and introduced the so-called Passkeys. The objective: log in without passwords on websites and apps with a new idea to be able to identify ourselves when accessing programs and that it can be a more secure system than passwords that can be leaked or stolen through phishing.

After Apple started last month with Passkeys in its software, now the company that has taken the next step has been Google, for now: As of today, Passkeys begin to arrive on Android and Chrome for desktop.

This is a Passkey





As explained by the companies that advocate this system, Passkeys (or access codes) are more secure than passwords and other authentication factors, as they cannot be reusedare not filtered and cannot be phished (since the same one is not always repeated).

To create a Passkey to identify ourselves in an application or website, we will have to use a PIN, fingerprint, face or iris, depending on the biometric authentication with which the device is equipped. Google will thus be able to verify that the person who wants to access a service is really the owner Of the device.

When a user wants to access a service that uses access keys, their browser or operating system will help them select and use the access key. The experience is similar to how saved passwords currently work. For ensure that only the rightful owner can use a passkey, the system will ask you to unlock the device. This can be done with a biometric sensor (such as fingerprint or facial recognition), a PIN, or a pattern.

A user can access services on any device with an access key, no matter where it is stored. For example, a passkey created on a phone can be used to access a website on a separate computer. In Chrome for Android, access keys are stored in Google Password Manager, which syncs passwords Access keys between the user’s Android devices signed in to the same Google Account.

Users are not restricted to using access keys only on the device they are stored on. The access keys stored in the phones can be used when accessed through the PC, even if it is not synchronized with the PC, as long as the phone is close to the PC and the user approves access on the phone. Since password keys are compiled to FIDO standards, all browsers can adopt them.

How Google ensures that this respects privacy





Google’s own engineers acknowledge that some users may be surprised if biometric authentication suddenly appears on a website or app and they think it’s sending sensitive information to the server. But it is important to note that “with passkeys, the user’s biometric information is never revealed on the website or in the app. Biometric materials never leave the user’s personal device.”

Access keys do not allow cross-site tracking of users or devices. The same access key is never used with more than one site. The access key protocols are carefully designed to that information shared with sites cannot be used as a tracking vector.

For example, Google Password Manager encrypts password secrets end-to-end. Only the user can access and use themand, even if there is a backup on Google servers, Google cannot use them to steal the identity of users.