The new authentication system is now available in the beta channels of Google Play Services and the Google browser
Apple introduced them with iOS16 and Google will introduce them to Android and the Chrome browser before the end of the year. Passkeys are an authentication method supported by Google, Apple, Microsoft and the FIDO Alliance that aspires to become a new security standard on websites and applications and replace traditional passwords . Contrary to what happens with these, a passkey cannot be reused in other sites or apps, it cannot be leaked in a security breach and it protects the user against phishing attacks. Google already allows the use of this system through its beta channels , both on Android (through Google Play Services Beta) and Chrome (Chrome Canary).
As of yesterday, users of these channels can now create and use passkeys on Android devices, and developers support this functionality on their websites with the WebAuthn API for Chrome users. The API so that they can integrate this system into Android apps will arrive this year and Google’s plans are for the passkeys to be incorporated into the stable version of Android and Chrome before the end of 2022 .
Registering on a website with passkey.
This is not to say that passwords will disappear as soon as Google integrates the functionality into its platforms. Websites and developers of browsers and other apps will have to adopt it, which will not be immediate and may take time until its use is widespread. Passkeys eliminate the need for text boxes to enter user credentials, but hopefully the two systems will coexist for a while.
How passkeys work
The passkeys are based on the use of public key cryptography and web authentication (Web Authn). The first is a system invented in the 1970s that is commonly used on the Internet . For example, when a browser accesses an HTTPS website , a public key is exchanged to keep the data being transferred encrypted .
The second is a specification designed by the WC3 consortium , in charge of developing open standards for the Internet, and FIDO with the participation of large technology companies. The WebAuthn API that developers must use allows a server to authenticate and register a user using public – key cryptography instead of a password .
A passkey uses two keys, one private and one public, that must be matched for valid authentication . The process is automatic and does not require the user to think or generate or have to remember any of them, which are generated by the system. Through WebAuthn, the server provides data that binds a user to a credential , with identifiers for both the user and the organization, and prompts the user to create a pair of keys , public and private. When the public key is returned to the server, registration is complete and the private key remains on the user’s side, encrypted and stored in Google Password Manager. Authentication as such, checking that both keys are correct,it occurs on the server device and not on the server that receives the confirmation .
The private key is always kept on the user side.
In practice, its use is similar to that of a double authentication system and requires confirmation by the user from his Android mobile identifying himself biometrically (for example, with a fingerprint) or with a PIN. Using a passkey on a mobile is very simple, but if the system is used on a computer it also requires confirmation from the mobile that it must be connected to the device via Bluetooth . This is done to ensure physical proximity between the user’s mobile with the private key and the computer on which they are authenticating.
To use a passkey on the computer it is necessary to have the mobile nearby.
With this system, a web service password leak becomes irrelevant since a public key is useless without its private key and vice versa . In the same way, a web phishing that impersonates, for example, a bank so that the user enters their credentials and steals them will also be an obsolete method for information theft. In addition, as each one of them is unique, another common security flaw is avoided: repeating the same password on different websites and services.