Chrome browser users can now login securely without passwords. Yes, hopefully we are approaching towards password-less future. Following a testing stage that started in October 2022, Google integrated password-less secure login process into Chrome Stable M108.
Passkey is a unique digital credential that is stored on an individual’s phone, computer or other devices similar to USB security key. It is tied to a user account and a website or application. Passkeys allow users to authenticate without having to enter a username, password, or provide any additional authentication factor.
When a user wants to sign into a service that uses passkeys, their browser or operating system will help them select and use the right passkey. To make sure only the rightful owner can use a passkey, the system will ask them to unlock their device. This may be performed with biometrics (such as a fingerprint or facial recognition), PIN, or pattern. Biometrics are stored on user’s device and never leave that device.
Suppose I register on shopping portal using android or IOS mobile phone and choose biometric as passkey. Next time if I want to login onto the same shopping portal on someone else device/computer etc., in that case, I need not to use my passkey i.e., biometric to login. In this case shopping portal will generate a QR code and I need to scan that QR code using my mobile phone where in this biometric is stored. And job is done. Remember this passkey is not being stored into the website database, rather it is being stored on your device or cloud. I do browse and sign-out.
The user’s device generates a signature based on the passkey. This signature is used to verify the login credential between the origin and the passkey.
A user can sign into services on any device using a passkey, regardless of where the passkey is stored. For example, a passkey created on a mobile phone can be used to sign into a website on a separate laptop
Google explained that for additional security, passkey protocols prevent information shared with websites from being used for tracking. Only a securely generated code is exchanged with the website therefore, unlike a password, there’s nothing that could be leaked,”. A passkey on a phone can also be used to sign on to a nearby device. “For example, an Android user can sign into a passkey-enabled website using Safari on a Mac.”
Backed by the FIDO Alliance and tech giants such as Apple, Google, Microsoft and Facebook, passkeys for Chrome are essentially safer replacements for authentication methods and passwords. This technology aims to replace legacy authentication mechanisms such as passwords.
The passkey feature will work across both desktop and mobile devices running Windows 11, macOS, and Android. Additionally, Google is allowing users to sync their security key from Android to other devices while working on Chrome either through its own password manager or any supported third-party apps.
Passkeys provides an authentication procedure similar to unlocking a device. Passkey has been designed to offer a secure alternative to the traditional password mechanism and two-factor authentication methods. Google says passkeys are significantly safer and more secure than passwords and other phishable authentication factors.
Passkeys provide robust protection against phishing attacks, unlike SMS or an app based one-time passwords. Since passkeys are standardized, a single implementation enables a password less experience across different browsers and operating systems. The user experience can be as simple as auto filling a password form.
According to Google, the new technology will take some time to be adopted across different websites.