Following our report last month, Google today announced its support for “passwordless FIDO Sign-in standards” and previewed what the end-user experience of passkeys on Android and Chrome will look like.
Google has been working to replace passwords for the past decade or so due to people’s poor password hygiene (i.e., reusing credentials across multiple services), vulnerability to data breaches, and phishing scams.
Today, in honor of World Password Day, we’re announcing a major milestone in this journey: over the next year all major device platforms have committed to building in support for passwordless FIDO Sign-in standards. We plan to implement passwordless support in Android & Chrome.
Apple (iOS, macOS, Safari) and Microsoft (Windows, Edge) are also supporting the new standards, thus simplifying “sign-ins across devices, websites, and applications no matter the platform — without the need for a single password.”
How passkeys on Android, Chrome will work
Your Android phone will store a “passkey” that’s used to unlock an online account (in Google Chrome). Instead of entering a password to sign into a website or app, you just unlock your mobile device. Passkeys are synced to the cloud (Google Account) and transferred when you get a new phone or if it’s ever lost.
The passkey makes signing in far more secure, as it’s based on public key cryptography and is only shown to your online account when you unlock your phone.
On desktop computers, the first log-in will require your phone to be nearby for authentication. Afterward, sign-ins just involve unlocking your PC.
This passwordless future places a very strong emphasis on your phone and Google Account. We’re told today that passkeys will work with devices running Android 9 and newer, while we’ve already spotted Google Play Services readying support. Meanwhile, logging into your Google Account will still involve two levels/factors of security and authentication:
We can expect that Google Accounts will offer a login which combines something the user knows and something the user has in a very strong way. For example, rather than a password, users can use an unlock code from a previous device. The “something the user has” could be the user’s on record phone number (using new methods beyond SMS) or a Security Key.
Sampath Srinivas, PM Director, Secure Authentication, Google and President, FIDO Alliance
Speaking of security keys, in general, there will continue to be support for a “phishing-resistant option for users who do not want to use their phone to sign-in.”
When can you use passkeys
This industry-wide support was announced on World Password Day, with full implementation by OS vendors, online services/websites, and apps expected over the course of 2022 and 2023.
We’re excited for what the passkey future holds. That said, we understand it will still take time for this technology to be available on everyone’s devices and for website and app developers to take advantage of them. Passwords will continue to be part of our lives as we make this transition, so we’ll remain dedicated to making conventional sign-ins safer and easier through our existing products and continued innovation.
Author: Abner Li
Source: 9TO5Google