By allowing passkey-only Google accounts, Google is making a significant step toward our allegedly password-free future. The blog entry with the headline “The end of the password is finally here, according to Google, who has started rolling out support for passkeys across all major platforms for Google Accounts. They will be an additional sign-in option in addition to passwords, 2-Step Verification (2SV), etc. for users.” As part of two-factor authentication, you could previously use a passkey with a Google account, but it was always in addition to a password. A passkey can now be used to access a Google account in place of a password.
If you’re unfamiliar with the new authentication mechanism, a passkey is a new method of logging into apps and websites that may one day take the place of a password. Humans first entered passwords into basic text boxes, and when the need for increased security arose, automation and complexity were gradually grafted onto those text boxes. The proper way to use a password today is to have a password manager put a random string of characters into the password box. In the past, you would type a recalled word into the password field. Passkeys remove the password box because few of us really type our passwords in.
Passkeys uses the “WebAuthn” standard to have your operating system directly swap public-private keypairs with a website, which is how you are authenticated. The Google demo of how this would function on a phone looks fantastic; the standard box asks for your Google username, then requests a fingerprint to unlock the passkey system and log you in.
Consumer devices will soon be able to access Google services without a password, while business Google Workspace accounts will “soon” be able to activate passkeys for end users.
Passkeys are still not ready for widespread use
Even though Google has committed fully to passkeys, this does not imply that they are prepared for mass usage. First off, some systems (including Windows, Linux, and Chrome OS) are not as developed as others (like MacOS, iOS, and Android). There is still much work to be done, however the official passkeys.dev website offers a helpful page that tracks platform-by-platform readiness. It would be awful to get locked out of your Google passkey account on Chrome OS, which is likely to happen unless you convert back to a password.
The second problem, which is that passkeys sync through your operating system ecosystem rather than through a browser, represents a significant backward in how passwords operate and does not appear to be resolved any time soon. Passkeys don’t operate the same way as passwords today; if I add a password to Chrome on Windows, it will be instantaneously accessible on all of my devices with Chrome installed, including my Android phone, Macbook, iPhone, Chromebook, etc.
Passkeys are “synchronized to all the user’s other devices running the same OS platform,” according to the FIDO Alliance page [our emphasis]. This means that if I add a passkey to Chrome on Windows, it will only sync with other Microsoft operating systems because it will be added to the passkey store of the OS provider, Microsoft. Everything will sync and you won’t notice a difference if you just use Apple products. For the rest of us, using Windows and Android, Android and Linux, or any other cross-OS-vendor combination, will require a QR-code and Bluetooth-driven transfer process. The Big Tech corporations in control of passkeys don’t appear motivated to make them as frictionless and practical as passwords, which will be a significant barrier to their widespread adoption.
This entire synchronizing problem is confirmed by 1Password, “At the moment, passkeys on other platforms demand that you verify using a device from the same ecosystem. It is laborious and less secure to sync with other operating systems or provide passkeys when there are workarounds available, such as QR codes.” Apps like 1Password may or may not have received an invitation to the Big Tech passkey party. Although 1Password claims to be a member of the FIDO Alliance, a video on the page dedicated to passkeys claims that passkeys aren’t open enough. From the video: “The openness and interoperability that are promised by the current technologies are not fulfilled. Creating a password on an iPhone or Android device today is essentially impossible. Sharing it, moving it to another platform, or syncing it with your favourite password manager are not simple tasks. We can improve. We’re eager to show you what the future would entail if passwordless technology were more widely used because of this.”
There is a lot of “could” and “should” wording on 1Password’s passkey website, but a fix is being developed and should be available “this summer.”
Having such a significant cross-platform regression in the default setup—which is what most people would use—will substantially limit the appeal of passkeys, even if the firm manages to solve the issue of passkey synchronization for its own app.
Listing image by Google