Google’s new passkey technology, designed to replace passwords entirely, has raised concerns around cyber security and privacy. The technology allows authentication using fingerprint ID, facial ID, or a PIN on the device being used for authentication. The cryptographic private key is stored on the device, and a corresponding public key is uploaded to Google. While Google claims that this will prevent phishing, SIM-swap, and other password-bypass methods, critics remain skeptical about the potential for cyber attacks and the protection of users’ biometric data.
Passkey technology has been adopted by Apple and Microsoft, with businesses such as Ebay, Docusign, and PayPal already using it. However, the technology is still in its early stages, and mass adoption across apps and websites may take some time. Google will still allow the use of passwords in circumstances where the passkey-enabled device is unavailable, but over time, the company plans to pay closer attention to accounts using passwords for signs of compromise.
Each passkey is unique to each service, eliminating the risk of one compromised account compromising every other account using a passkey. However, users need to be careful about sharing their passkey with others, as it could lead to potential security risks. The technology has been developed as part of the Fido (Fast Identity Online) alliance, with Apple, Google, and Microsoft leading the charge.
While passkey technology may spell the end of passwords and password managers, there is still a long way to go before it is widely adopted. Passkey needs to allow users to easily switch between ecosystems such as iOS or Android to gain wider adoption. Additionally, there are concerns around the security of biometric data, with critics warning about the potential for hackers to access this data.
While passkey technology may offer a more secure alternative to passwords, it is important to carefully consider the potential risks and limitations before adopting it. Businesses using Google for work accounts will soon be able to enable passkeys for sign-in, but they must ensure that their employees are fully aware of the risks and how to use passkeys safely.
Passkey technology is part of a growing trend towards biometric authentication, which uses unique human characteristics, such as fingerprints or facial recognition, to verify an individual’s identity. While biometric authentication can offer increased security compared to traditional passwords, there are also concerns around the privacy and security of biometric data.
One major concern is the possibility of hackers stealing biometric data, which cannot be changed like a password. Once a biometric identifier, such as a fingerprint or facial scan, has been compromised, it cannot be reset. This could potentially leave users vulnerable to identity theft and other forms of cybercrime. To mitigate these risks, passkey technology stores biometric data locally on the device rather than on a centralized server, making it more difficult for hackers to access.
Another concern is the potential for false positives or false negatives in biometric authentication. In some cases, the technology may incorrectly identify a user or fail to recognize them, leading to frustration and potential security issues. However, advances in machine learning and artificial intelligence are helping to improve the accuracy and reliability of biometric authentication.
Despite these concerns, passkey technology is gaining traction as a more secure alternative to passwords. It is also easier for users to remember and use, as they only need to authenticate with a fingerprint, facial scan, or PIN. This convenience can encourage wider adoption and improve overall security by reducing the likelihood of users resorting to weak or easily-guessable passwords.
As passkey technology becomes more widely adopted, it is likely to become the new standard for online authentication. However, it is important for businesses and individuals to carefully evaluate the potential risks and limitations of biometric authentication and take steps to protect their data and privacy. This includes using passkey technology responsibly and only sharing biometric data with trusted parties.
Another concern with passkey technology is the possibility of a coercive attack, where an attacker could force an individual to unlock their device using their biometric data. This could happen, for example, in a situation where an individual is detained by law enforcement or other authorities who compel them to unlock their device. To address this risk, some passkey technologies offer a “duress mode” that allows the user to quickly and discreetly disable biometric authentication and switch to a password or PIN.
Privacy is another major concern with biometric authentication. Users may be hesitant to share their biometric data with third-party companies or worry about the potential for misuse or unauthorized access. Passkey technology attempts to address this issue by storing biometric data locally on the device rather than in the cloud or on a centralized server, as mentioned previously.
However, it is important for users to carefully review the privacy policies and terms of service for passkey technology providers to understand how their biometric data will be collected, used, and protected. Users should also be cautious when using passkey technology on shared or public devices and avoid sharing their passkeys or biometric data with others.
Passkey technology raises questions about interoperability and compatibility across different devices and platforms. While Google, Apple, and Microsoft are all supporting passkey technology through the Fido alliance, there may be compatibility issues with other devices or services that do not support this standard. This could create additional complexity and potentially reduce the convenience and security benefits of passkey technology.
While passkey technology offers promising advancements in security and convenience over traditional passwords, it is important for users and businesses to carefully evaluate the potential risks and limitations before adopting it as their primary authentication method. Strong passwords and multi-factor authentication should still be considered as additional security measures.
Here is a step-by-step breakdown of how passkey technology works:
- A user creates a passkey on their device, using their biometric data (such as fingerprint or facial recognition) or a PIN code. This passkey is unique to the device and can be used to authenticate the user on various apps and services.
- When the user tries to access a service, the passkey technology generates a cryptographic private key that is stored on the device. A corresponding public key is then uploaded to the service provider, such as Google.
- To sign in, the device must solve a unique challenge using the private key to generate a signature. This signature is then verified using the public key stored by the service provider to confirm the user’s identity.
- The service provider, in this case Google, only receives the signature generated and the public key. This means that the private key and the biometric data used for authentication are never shared with the service provider.
- If a user wants to temporarily share their passkey to a new device, they can get a one-time share by scanning a QR code or by using AirDrop for Apple devices. It uses Bluetooth to determine that the device is actually in proximity to the new device.
- If a user loses their device with the passkey, they can revoke access immediately in account settings.
- Each passkey is unique to each service a person uses, too, meaning that there’s no risk of one compromised account compromising every other account using a passkey.
Passkey technology aims to eliminate the need for traditional passwords, which are often weak and easily compromised. Instead, it uses biometric data or PIN codes to provide a more secure and convenient method of authentication.