Death to Passwords: Beta Passkey Support Coming to Chrome and Android [Updated]
Death to Passwords: Beta Passkey Support Coming to Chrome and Android [Updated]
Expand / Please don't do that.
Getty Images
Big Tech wants to kill the password, with "passwords" being the new hot password replacement standard on the block. Access Keys are backed by Google, Apple, Microsoft, and the FIDO Alliance, so expect to see them everywhere soon. iOS took over the standard in version 16, and now Google is releasing passkey betas on Chrome and Android.
The passkey argument is that the passwords are old and insecure. Computer passwords were originally designed as an easy-to-remember secret for humans to type into a text box. As the need for greater security arose, password managers arrived, making it easier to save and remember your passwords. Now, instead of a human-memorable phrase, the ideal way to use a password is to have a computer generate a string of wild characters and never reuse that password anywhere else. The password manager revolution is a hack, however, built on top of that original text box. We don't really need the text box anymore, and that's where passwords come in.
Access Keys simply exchange WebAuthn cryptographic keys directly with the website. There's no need for a human to tell a password manager to generate, store, and recall a secret - it'll all happen automatically, with far better secrets than the old textbox supported, and with enhanced uniqueness. The downside is that while every browser in the world supports displaying this old text box, password support will need to be added to every web browser, every password manager, and to each website. It's gonna be a long trip.
Expand / The password process works a bit like autofill.
Ron Amadeo
The only odd choice Big Tech has made with access keys is that the thing that authenticates your access to a website is your phone, not the manager. passwords on the device you are currently using. This communication between phone and client also doesn't happen over the internet like two-factor authentication - the device you're using needs to have Bluetooth in order for your phone to talk to it locally. Bluetooth is used to ensure your phone is within range of the device and to start a network session (more secure than Bluetooth). Keeping communication local ensures random people on the internet can't log into your accounts, but it will also lock down some desktop computers.
Google says its passkey efforts reached "a major milestone" today. If you sign up for the Play Services beta, you can now create and use access keys on Android devices, and Chrome Canary now supports access keys for websites. Google says stable implementations for Chrome and Android will be available later this year, but it wants developers to start developing now.
Google also shared some details on how it will work. Google's solution stores your passwords in Google's Password Manager. A pop-up on your phone will ask you to choose an account first, then authenticate yourself with some sort of biometrics, like fingerprint unlock. The phone will communicate with the client via Bluetooth, the browser will unlock your password and then send it to the website. (If the client is your phone, this all becomes much simpler.)
Starting with a QR Code? It just has to be a beta hack.
...
Big Tech wants to kill the password, with "passwords" being the new hot password replacement standard on the block. Access Keys are backed by Google, Apple, Microsoft, and the FIDO Alliance, so expect to see them everywhere soon. iOS took over the standard in version 16, and now Google is releasing passkey betas on Chrome and Android.
The passkey argument is that the passwords are old and insecure. Computer passwords were originally designed as an easy-to-remember secret for humans to type into a text box. As the need for greater security arose, password managers arrived, making it easier to save and remember your passwords. Now, instead of a human-memorable phrase, the ideal way to use a password is to have a computer generate a string of wild characters and never reuse that password anywhere else. The password manager revolution is a hack, however, built on top of that original text box. We don't really need the text box anymore, and that's where passwords come in.
Access Keys simply exchange WebAuthn cryptographic keys directly with the website. There's no need for a human to tell a password manager to generate, store, and recall a secret - it'll all happen automatically, with far better secrets than the old textbox supported, and with enhanced uniqueness. The downside is that while every browser in the world supports displaying this old text box, password support will need to be added to every web browser, every password manager, and to each website. It's gonna be a long trip.
Expand / The password process works a bit like autofill.
Ron Amadeo
The only odd choice Big Tech has made with access keys is that the thing that authenticates your access to a website is your phone, not the manager. passwords on the device you are currently using. This communication between phone and client also doesn't happen over the internet like two-factor authentication - the device you're using needs to have Bluetooth in order for your phone to talk to it locally. Bluetooth is used to ensure your phone is within range of the device and to start a network session (more secure than Bluetooth). Keeping communication local ensures random people on the internet can't log into your accounts, but it will also lock down some desktop computers.
Google says its passkey efforts reached "a major milestone" today. If you sign up for the Play Services beta, you can now create and use access keys on Android devices, and Chrome Canary now supports access keys for websites. Google says stable implementations for Chrome and Android will be available later this year, but it wants developers to start developing now.
Google also shared some details on how it will work. Google's solution stores your passwords in Google's Password Manager. A pop-up on your phone will ask you to choose an account first, then authenticate yourself with some sort of biometrics, like fingerprint unlock. The phone will communicate with the client via Bluetooth, the browser will unlock your password and then send it to the website. (If the client is your phone, this all becomes much simpler.)
Starting with a QR Code? It just has to be a beta hack.
...
Expand / Please don't do that.
Getty Images
Expand / The password process works a bit like autofill.
Ron Amadeo
Starting with a QR Code? It just has to be a beta hack.
...![Death to Passwords: Beta Passkey Support Coming to Chrome and Android [Updated]](https://cdn.arstechnica.net/wp-content/uploads/2021/01/passwords-760x380.jpg)
