Adios Passwords! Hello Passkeys!!

The future is finally here! Having kept internet users salivating for a lasting solution around storing passwords on every device and beyond, Google has finally announced that its Passkeys would become the default sign-in option for users accessing its services. So, no more does one need to remember the various permutations and combinations of one’s password. 

That passkeys are phishing-resistant make them more attractive as they allow users to sign in using biometrics or PINs to unlock their devices as also with a physical security key, the kind of which are now getting shipped by companies such as Yubico. Of course, the latter is still in its nascent stages beyond the US, so for India we may have to rely on biometrics only. 

Of course, Google isn’t really the first one to initiate the move towards passkeys. Several banks in India offer a similar service whereby the customer app uses your smartphone’s authentication protocols to let you in. And there are others that allow you to set up your own biometrics as a second later to the one already on your handset. 

A longstanding security requirement

There has been a longstanding demand for a shift away from the traditional username-password combination, given its propensity to attract phishing and credential attacks, keylogger malware etc. Even multi-factor authentication and password management tools aren’t without flaws as has been reported by security analysts in the past. 

Since passkeys are made up of two factors, it is considered that much safer. The part that is left on the app or on a website’s service needs to relate to the one stored on a device before authentication happens. Since this handshake proves the legitimacy of ownership of an account, hackers would find it virtually impossible to gain access, since there is a physical device at one end of this equation. 

Of course, if one ends up losing the device, there is the possibility of it falling into the wrong hands and the authentication actually happening. However, the chances of such a scenario playing out is far and few, which means that the passkeys can actually be a tough nut to crack for even the most ingenious of hackers. 

Google had always batted for passkeys

From Google’s point of view, the passkeys have been their preferred technology since last year when they announced support for it across both Chrome and Android. Some months ago, they had informed us that the shift towards a password-less ecosystem across the globe was in the works and should soon happen. 

So, when the company made the announcement yesterday (October 10, 2023), it was just the culmination of a journey that began some years ago and encompassed all account holders on the Google ecosystem. Product managers Christiaan Brand and Sriram Karra said the next time one logs into a Google Account, prompts to create and use passkeys will pop up. 

“Our goal is the same as it has always been, giving you technology that is secure by default, so that you have the strongest security but without the burden,” they said. The company also took pains to note that 64% of its users who were surveyed felt passkeys were easier to handle as compared to traditional methods of usernames and passwords. 

The company said it would encourage users to start off with passkeys as the primary sign-in option though it may look like a bit of a chore initially. However, there’s little doubt that little effort now could guard against a potential security disaster and also save users the time and effort to store passwords across their devices or on pieces of paper stored in their wallets.