Google rolls out passkeys for Chrome
Google has begun to officially rollout support for passkeys on its Chrome web browser. The tech giant’s next-generation passwordless login standard, available in version 108, initially began to be tested across Windows 11, macOS and Android around two months ago.
Passkeys require users to authenticate themselves during login by unlocking a nearby iOS or Android device with biometrics, thus removing the need for passwords. The development does, however, mean that websites are required to use WebAuthn API in order to integrate passkey support.
The feature helps to eliminate the security issues associated with passwords, such as passwords being knowledge-based, problematic to use and remember and easy for attackers to phish, harvest or replay. According to HYPR’s 2022 State of Passwordless Security Report, 89 per cent of organisations have experienced a phishing attack within the past year.
Commenting on the improved security features of passkeys, Google Product Manager Ali Sarraf said: "Passkeys are a significantly safer replacement for passwords and other phishable authentication factors. They cannot be reused, don't leak in server breaches, and protect users from phishing attacks."
Passkeys essentially create a one-of-a-kind cryptographic key pair to associate with an app or website account when the account is registered. A public key is stored in the server, while a private key is securely housed on the device on which both keys are generated.
For Android, keys are uploaded either to Google Password Manager, or a third-party solution such as Dashlane or 1Password in order to prevent users being locked out. As passkeys become more ubiquitous, all major password managers are updating in order to support passwordless login. On iOS and macOS, passwords are synced with iCloud Keychain, with Microsoft Windows set to offer support for this service from 2023.
Earlier this year, Google software engineer Arnar Birgisson explained: "When a passkey is backed up, its private key is uploaded only in its encrypted form using an encryption key that is only accessible on the user's own devices.”
Encryption means that passkeys are protected even from Google, ensuring that, in the event of a rogue actor operating within the company, they can’t be used to log in to the corresponding account or app without having access to the user’s private key.