Google brings secure passkey syncing between devices
Passkeys are, without a doubt, the future of login security. 1Password has called them “nearly impossible for hackers to guess or intercept” and Google uses them to replace hardware key and two-factor authentication for high-risk users. Now Google has gone one step further in this move to a passwordless future: secure syncing across devices with Chrome on Windows, macOS, Linux and Android platforms right now, with iOS still in development but promised soon.
Google Announces Secure Passkey Sign-In Across (Nearly) All Your Devices
Until today, although pretty much everyone agrees that passkeys are both more straightforward to use and more secure than traditional password logins, Google only allowed you to save your passkeys to the Password Manager using Android. Sure, you could use them wherever you liked, but that involved scanning a QR code on your Android device, which, I can say from personal experience, made me look for alternative passkey providers such as 1Password and Apple. All that has changed with a new announcement by Chirag Desai, a Chrome product manager at Google, concerning updates that are now rolling out to make the experience as hassle-free as it should be. No QR codes required.
Once a passkey has been saved, no matter which device you used to do so, it will then automatically sync across your other devices so as to make signing in to any account or service just a matter of scanning your fingerprint, Desai announced. Once a passkey has been saved, no matter which device you used to do so, it will then automatically sync across your other devices so as to make signing in to any account or service just a matter of scanning your fingerprint, Desai announced. This new syncing ability revolves around a new Google Password Manager PIN that adds another layer of security to the process, ensuring “your passkeys are end-to-end encrypted and can’t be accessed by anyone, not even Google,” Desai said.
Google Password Manager’s new passkey creation PIN
You will need to have either your Google Password Manager PIN or use the screen lock on your device when starting to use passkeys for the first time on a new Android device. However, no new apps are required as passkey support is already built into both Chrome and Android devices.
Passkey Technology Explained
Passkeys originated as a joint Apple, Google and Microsoft initiative developed with the FIDO Alliance, an open industry association that aims to reduce people’s reliance on passwords. Based upon public key cryptographic protocols, the same as those that underpin hardware security keys, passkeys are considered phishing-resistant, which is of huge importance considering today’s threat landscape. Passkeys are “resistant to phishing and other online attacks,” Google said, “making them more secure than SMS, app-based one-time passwords and other forms of multi-factor authentication.”
A passkey credential is on-device, registered only once and then re-used as often as needed, using the device’s biometric user verification system, be that fingerprint of facial scanning. If no biometrics are available, then they can be used with a PIN code. The important thing is that it’s the possession of the device by the user, who authenticates as such with those biometrics, that makes passkeys secure. The remote server at the service, site or account you are trying to sign into will simply ask the user to activate their screen lock to complete the authentication process.
Passkeys are designed according to the FIDO Alliance standard, so any implementation can work seamlessly with any browser or operating system. Importantly, the user’s biometric screen lock data is never sent to the site you are logging into; Google will never see it. Instead, just the cryptographic proof that you’ve activated the screen lock successfully is transferred. You can try them out at Passkeys.io, where a simple demo account shows how easy they are to use and create.