The security industry, as organized by the FIDO (Fast IDentity Online) Alliance, has been working to replace passwords given people’s tendency to use weak ones or reuse them. Two-factor authentication (2FA) has helped to remedy that but the future is “passkeys,” with Android and Google readying support.
About APK Insight: In this “APK Insight” post, we’ve decompiled the latest version of an application that Google uploaded to the Play Store. When we decompile these files (called APKs, in the case of Android apps), we’re able to see various lines of code within that hint at possible future features. Keep in mind that Google may or may not ever ship these features, and our interpretation of what they are may be imperfect. We’ll try to enable those that are closer to being finished, however, to show you how they’ll look in case that they do ship. With that in mind, read on.
If successfully adopted, signing-in to a web service will no longer involve entering a password. This includes those that are auto-filled, which is the commonplace behavior of password managers built-in to today’s browsers and operating systems. Rather, the FIDO approach leverages cryptographic keys. Before a sign-in occurs, end users simply unlock their device (passcode, fingerprint, face unlock, etc).
During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge.
Instead of passwords, you will have “passkeys” that are stored on your device and the operating system’s associated cloud sync service. In the case of Android, passkeys – which is the name Apple will also be using – are saved to your Google Account (presumably a similar Password Manager is used) as explained by new strings in the latest version of Google Play services (version 22.15.14).
<string name=”fido_passkey_welcome_title”>Hello passkeys, goodbye passwords</string>
<string name=”fido_passkey_welcome_text”>Passkeys provide better protection than passwords \u2013 and they\u2019re safely saved in your Google Account. <br/><a href=%1$s> Learn more </a></string>
You’ll still have to know your primary Google Account (or Apple ID) password, especially when switching to a new device, but this fully realized future means that’s the only one you really have to remember.
Just like password managers do with passwords, the underlying OS platform will “sync” the cryptographic keys that belong to a FIDO credential from device to device. This means that the security and availability of a user’s synced credential depends on the security of the underlying OS platform’s (Google’s, Apple’s, Microsoft’s, etc.) authentication mechanism for their online accounts, and on the security method for reinstating access when all (old) devices were lost.
Work in Play services is still underway, while third-party adoption is a big requirement for all of this to work. The string today suggests Google will be making a pretty user-facing push encouraging passkey adoption as seen by “Hello passkeys, goodbye passwords” and the cover image above.
Author: Abner Li