Passkey, default login mechanism for Google accounts

The passkey they are a modern authentication tool that aims to eliminate the need to use usernames and passwords. This is a solution that allows you to verify users’ login credentials using a cryptographic keywhich is saved on the local device.

The mechanism underlying the operation of passkeys is inspired by two-factor authentication: instead of requiring theentering a password as an initial step, a cryptographic key is used which acts as a “pass”. The purpose of passkeys is to improve account security online, removing the intrinsic problems linked to the use of normal credentials and, consequently, the need to change passwords periodically.

On the technical side, passkeys are made up of one pair of keys cryptographic systems, one public and one private: they are therefore based on an asymmetric encryption scheme and the WebAuthn standard. They can be used to access websites, applications, services and devices without the need for type a password.

Different operating systems and many applications have embraced passkeys over time, even if their diffusion is still rather limited today. In the past we’ve looked at what a passkey is and how Google started implementing them. Now the Mountain View company has made a historic announcement, explaining that passkeys from today become the login mechanism default for personal accounts registered on its platform.

Passkey default login system for personal Google accounts

Setting a passkey on the individual account Google it exempts the user from having to type a password while also avoiding enabling and using the so-called two-step verification.

Per create a password and pair it with your personal (non-business) Google user account, simply visit the passkey page. After a very short wait, Google responds with the message Passkey created.

Google account passkey creation

Passkeys are tied to individuals specific devices: computers, tablets and smartphones, on which you use a Google account. They work locally and offer a more secure and convenient alternative to traditional passwords by allowing the use of biometric sensors such as fingerprint scanners and facial recognition, along with PINs, hardware security keys, or screen lock patterns.

The use of passkeys significantly reduces the risk of data breaches because, for example, it protects against phishing attacks. Attackers can no longer use fraudulent techniques to trick users into revealing their passwords; in fact because the password is no longer used for login.

After passkeys enabled on Google accounts, on the Skip password when possible setting page, the corresponding option is active.

Skip password with Google passkey

How passkeys work in brief

Passkeys were certainly not born today with Google’s decision, but they use the cryptographic technology in development for more than ten years. There FIDO Alliance was founded in 2013 to work on the technology and promote its use, ensuring the approval of universal and open standards. It is supported by a long list of members and sponsors.

We already mentioned that with passkeys, users can access apps and websites by authenticating with a biometric sensor (fingerprint verification or facial recognition), a PIN or pattern. Exactly as they do, for example, for unlock your mobile device or access the desktop of your PC with Windows Hello. With this approach it is no longer necessary to remember the login password.

The passkey meets the requirements of multi-factor authentication (MFA) in one step, replacing both passwords and OTP codes. Also, since the passkey implementation descends from one standard, you can use this tool the same way on all devices, browsers and operating systems. Once a passkey is created and registered, the user can easily switch to a new device and use it right away.

The provider of the service that supports authentication and access via passkey stores on its servers – therefore on the cloud – only the public key of the user. The biometric data, the PIN, the information on the unlocking sequences always remain on the end users’ devices. On the server side there is no useful information for any cyber attackers because the private key associated with the passkey is stored securely locally, on the device under the direct control of the user.

The steps to log in

We summarize below, i steps which are applied every time a user requests login via passkey:

  • The user visits a website or application and begins the login process.
  • The website sends a long string that acts as a login “challenge” (login challenge).
  • The user uses facial recognition, fingerprint recognition, enters a PIN or a graphic pattern to unlock the local “container” that contains the private key associated with the specific passkey.
  • The private key is used to apply a cryptographic signature to the string received from the remote server (the “challenge”).
  • The remote web server verifies the signature received from the client using the locally stored public key. Upon a positive check, access is granted and the login procedure ends.

Opening image credit: Karvatskyi


Please enter your comment!
Please enter your name here