October is Cybersecurity Awareness Month, and, as a result, some companies have begun new initiatives to help boost not just their internal security, but the security of their users. One such company is Google. Google has announced that, for Cybersecurity Awareness Month, they’re “making it even easier for users to get started with passkeys” (Karra).
What are Passkeys?
While they would ideally be an effective way to keep data safe, passwords, in reality, have multiple flaws. It is extremely tempting to make short, easy-to-remember, but also easy to guess passwords, compromising account safety for the sake of convenience. While there are some measures and techniques out there that help boost password security, such as multifactor authentication, Google believes that “we need to move beyond passwords altogether” (Srinivas). Thus, Google has “been setting the stage for a passwordless future for over a decade” (Srinivas). Instead of needing a password to log into a website or account, you will instead need a passkey.
The idea is presented in a relatively simple way: “When you sign into a website or app on your phone, you will simply unlock your phone — your account won’t need a password anymore.
Instead, your phone will store a FIDO credential called a passkey which is used to unlock your online account” (Srinivas). Like a physical set of keys, your phone will, essentially, become a keyring for digital passkeys used to unlock your accounts. So long as you have your phone, you can access your account.
How Do Passkeys Work?
In terms of security, passkeys are based “on public key cryptography” which are “only shown to your online account when you unlock your phone” (Srinivas). In a nutshell, public key cryptography uses extremely complicated mathematic formulas to encrypt (i.e., scramble) these passkeys so that only the person with the opposite mathematic formula can unscramble it. At first glance, it would seem easy to reverse a math equation to decrypt a passkey, but in reality, these math equations are extremely complex- so complex that even a computer would take ages to reverse them!
To use a passkey, all you’ll need is “… your phone nearby [,] and you’ll simply be prompted to unlock it for access. Once you’ve done this, you won’t need your phone again and you can sign in by just unlocking your computer” (Srinivas). It is currently unclear whether a user will need to “refresh” their passkey on their device after a given period of time or not. Furthermore, these passkeys will be securely backed up to the cloud, so, even if you lose your phone, you’ll be able to continue using your passkeys on your new device with little to no issue (Srinivas).
How Can I Start Using Passkeys?
In an effort to transition from passwords to the use of passkeys, Google plans to begin “offering [passkeys] as the default option across personal Google Accounts” instead of passwords (Karra & Brand). Activating this feature is relatively straightforward. If you already have a Google account, you simply need to sign into it again, and “you’ll start seeing prompts to create and use passkeys, simplifying your future sign-ins. It also means you’ll see the “Skip password when possible” option toggled on in your Google Account settings” (Karra & Brand). It is likely that, if you are creating a Google account for the first time, you will be prompted in a similar manner. Of course, Google is not entirely forcing you to adopt passkeys and forsake passwords. If you would prefer to still use your password, you “will still be given the option to use a password to sign in and may opt-out of passkeys by turning off ‘Skip password when possible’” (Karra & Brand).
Are There Potential Security Risks?
Before discussing the potential security risks of using passkeys over password, it is important to look at what Google identifies as the security benefits. Google advertises that “one of the most immediate benefits of passkeys is that they spare people the headache of remembering all those numbers and special characters in passwords”, which is extremely useful for many users (Karra & Brand). Users will, in theory, no longer have to sacrifice security for convenience. Google also claims that passkeys are “40% faster than passwords”, and the type of cryptography used “makes them more secure” (Karra & Brand). Finally, passkeys are supposedly resistant to phishing; since users won’t technically know what their passkey is, they could not divulge it in a phishing attempt, and, even if they did, it would be encrypted and difficult for the hacker to use (Karra & Brand).
However, there are still some potential risks involved, as with any new technology. For one, there is the issue of a “man-in-the-middle” attack. Essentially, a “man-in-the-middle” attack occurs when a hacker or threat actor is able to intercept and listen in on network traffic without necessarily interrupting the flow of the traffic (i.e., the traffic still reaches the intended destination, and neither the sender nor receiver would be aware that someone was “listening in”). It is possible that a passkey could be intercepted with this sort of attack, which could give a hacker unauthorized access to someone’s account. Whether this sort of attack will truly be a threat to passkeys will remain to be seen.
Similarly, it is implied that once you log into an account with a device, you won’t need to worry about logging into the account again since it will automatically be able to be logged into when you unlock that device. Thus, if someone were to steal said device, it is possible that they would gain full access to any accounts that have their passkeys stored on said device. Of course, Google will likely build in some sort of account/passkey recovery in the event of a lost or stolen device. Not only that, but if that device is not well secured (e.g., the device itself has a weak password or no password at all), it may be possible for someone to gain unauthorized access to any accounts with passkeys on that device.
Overall, the shift to passkeys would consolidate account access from many points of failure (unique passwords for each account) to a singular point of failure (one means of access to all of your accounts). On one hand, this is good; if there is only one point of failure, users (or Google) just need to ensure that this point is so secure that it will be highly unlikely to fail. However, on the opposite end, this is bad; if this singular point of failure is compromised, then everything is compromised. Password vaults and password managers pose a similar dilemma, so this is not a new situation for technological security. At the end of the day, it will remain to be seen whether this transition to passkeys proves to be more secure than the standard use of passwords.
References & Further Reading
Karra, Sriram, and Christiaan Brand. “Passwordless by Default: Make the Switch to Passkeys.” Google, Google, 10 Oct. 2023, blog.google/technology/safety-security/passkeys-default-google-accounts/.
Srinivas, Sampath. “One Step Closer to a Passwordless Future.” Google, Google, 5 May 2022, blog.google/technology/safety-security/one-step-closer-to-a-passwordless-future/.
The H.A.C.K.E.R. Project 
Leave a comment