RIP passwords? Passkey support is rolling out to stable Chrome
RIP passwords? Passkey support is rolling out to stable Chrome
Expand / Please don't do that.
Getty Images
Passkeys are there to (try to) kill the password. Following Google's beta rollout of the feature in October, access keys are now coming to Chrome stable M108. "Passkey" is built on industry standards and supported by all major platform providers - Google, Apple, Microsoft - as well as the FIDO Alliance. Google's latest blog says: "With the latest version of Chrome, we're enabling passkeys on Windows 11, macOS, and Android." Google Password Manager on Android is ready to sync all your passkeys to the cloud. If you can meet all the hardware requirements and find support, you can now log into something with an access key.
Passkeys are the next step in the evolution of password managers. Today, password managers are a bit of a hack - the password text box was originally meant to be entered manually by a human, and you had to remember your password. Then password managers started to automate this typing and remembering, making it easier to use longer and more secure passwords. The correct way to handle a password field today is to have your password manager generate a string of random, non-memorable junk characters to paste into the password field. Password gets rid of that legacy text box interface and instead stores a secret, forwards it to a website, and if it matches, you're logged in. Instead of passing a randomly generated string of text, passwords use the standard "WebAuthn" to generate a public-private key pair, just like SSH.
Expand / The password process works a bit like autofill.
Ron Amadeo
While anyone can understand the compatibility issues, access keys offer big advantages over passwords. While passwords can be used insecurely with short strings of text shared across many sites, a passkey is always enforced to be unique in content and secure in length. If a server breach occurs, the hacker doesn't get your private key and it's not a security issue like a leaked password would be. Passkeys aren't phishable, and because they require your phone to be physically present (!!), some random hacker on the other side of the world can't log into your account anyway.
You can authenticate a Chrome instance with iOS in all ecosystems, but you will need to use a QR code.
Google
So let's talk about compatibility. Access keys today essentially require a portable device, even if you log into a stationary PC. You are expected to use a smartphone for this, but you can also use a Macbook or iPad. The first time you set up an account on a new device, you need to make sure your authenticating device (your phone) is close to whatever you're connecting to. This proximity check happens via Bluetooth. Anyone who uses the passcode is really aggressive in pointing out that sensitive data isn't transferred over Bluetooth - it's just used for proximity control - but you'll still have to deal with security issues. Bluetooth connectivity to start.
When logging into an existing account on a new device, you also need to choose the device you want to authenticate with (probably your phone too)—if those two devices are in the same large tech ecosystem, you Hopefully you'll see a nice device menu, but if not, you'll need to use a QR code.
Passkeys are there to (try to) kill the password. Following Google's beta rollout of the feature in October, access keys are now coming to Chrome stable M108. "Passkey" is built on industry standards and supported by all major platform providers - Google, Apple, Microsoft - as well as the FIDO Alliance. Google's latest blog says: "With the latest version of Chrome, we're enabling passkeys on Windows 11, macOS, and Android." Google Password Manager on Android is ready to sync all your passkeys to the cloud. If you can meet all the hardware requirements and find support, you can now log into something with an access key.
Passkeys are the next step in the evolution of password managers. Today, password managers are a bit of a hack - the password text box was originally meant to be entered manually by a human, and you had to remember your password. Then password managers started to automate this typing and remembering, making it easier to use longer and more secure passwords. The correct way to handle a password field today is to have your password manager generate a string of random, non-memorable junk characters to paste into the password field. Password gets rid of that legacy text box interface and instead stores a secret, forwards it to a website, and if it matches, you're logged in. Instead of passing a randomly generated string of text, passwords use the standard "WebAuthn" to generate a public-private key pair, just like SSH.
Expand / The password process works a bit like autofill.
Ron Amadeo
While anyone can understand the compatibility issues, access keys offer big advantages over passwords. While passwords can be used insecurely with short strings of text shared across many sites, a passkey is always enforced to be unique in content and secure in length. If a server breach occurs, the hacker doesn't get your private key and it's not a security issue like a leaked password would be. Passkeys aren't phishable, and because they require your phone to be physically present (!!), some random hacker on the other side of the world can't log into your account anyway.
You can authenticate a Chrome instance with iOS in all ecosystems, but you will need to use a QR code.
Google
So let's talk about compatibility. Access keys today essentially require a portable device, even if you log into a stationary PC. You are expected to use a smartphone for this, but you can also use a Macbook or iPad. The first time you set up an account on a new device, you need to make sure your authenticating device (your phone) is close to whatever you're connecting to. This proximity check happens via Bluetooth. Anyone who uses the passcode is really aggressive in pointing out that sensitive data isn't transferred over Bluetooth - it's just used for proximity control - but you'll still have to deal with security issues. Bluetooth connectivity to start.
When logging into an existing account on a new device, you also need to choose the device you want to authenticate with (probably your phone too)—if those two devices are in the same large tech ecosystem, you Hopefully you'll see a nice device menu, but if not, you'll need to use a QR code.
Expand / Please don't do that.
Getty Images
Expand / The password process works a bit like autofill.
Ron Amadeo
While anyone can understand the compatibility issues, access keys offer big advantages over passwords. While passwords can be used insecurely with short strings of text shared across many sites, a passkey is always enforced to be unique in content and secure in length. If a server breach occurs, the hacker doesn't get your private key and it's not a security issue like a leaked password would be. Passkeys aren't phishable, and because they require your phone to be physically present (!!), some random hacker on the other side of the world can't log into your account anyway.
You can authenticate a Chrome instance with iOS in all ecosystems, but you will need to use a QR code.
Google
![Three of ID's top PR executives quit ad firm Powerhouse [EXCLUSIVE]](https://variety.com/wp-content/uploads/2023/02/ID-PR-Logo.jpg?#){kind=logo}
