Article Details
Scrape Timestamp (UTC): 2023-10-10 12:53:07.627
Source: https://thehackernews.com/2023/10/google-adopts-passkeys-as-default-sign.html
Original Article Text
Click to Toggle View
Google Adopts Passkeys as Default Sign-in Method for All Users. Google on Tuesday announced the ability for all users to set up passkeys by default, five months after it rolled out support for the FIDO Alliance-backed passwordless standard for Google Accounts on all platforms. "This means the next time you sign in to your account, you'll start seeing prompts to create and use passkeys, simplifying your future sign-ins," Google's Sriram Karra and Christiaan Brand said. "It also means you'll see the 'skip password when possible' option toggled on in your Google Account settings." Passkeys are a new form of authentication that entirely eliminate the need for usernames and passwords, or even provides any additional authentication factor. In other words, it's a passwordless login mechanism that leverages public-key cryptography to authenticate users' access to websites and apps, with the private key saved securely in the device and the public key stored in the server. Each passkey is unique and bound to a username and a specific service, meaning a user will have at least as many passkeys as they have accounts, although there can be multiple passkeys per account since passkeys function only within the confines of the same platform. A user can, therefore, have one passkey each for a website for Android, iOS, and Windows. Thus, when a user signs into a website or app that supports passkeys, a random challenge is created and sent to the client, which, in turn, prompts the individual to verify using their biometric or a PIN in order to sign the challenge using the private key and send it back to the server. Authentication is considered successful if the signed response can be validated using the associated public key. An immediate benefit to passkeys is two-fold: they not only obviate the hassle of remembering passwords, but are also phishing-resistant, thereby safeguarding accounts against potential takeover attacks. The development comes weeks after Microsoft officially began supporting passkeys in Windows 11 for improved account security. Other widely-used platforms like eBay and Uber have enabled passkey support in recent months.
Daily Brief Summary
Google has announced the use of passkeys as the default sign-in method for all user accounts, leveraging the passwordless standard developed by the FIDO Alliance.
The shift will prompt users to set up passkeys upon next sign-in and will automate when possible the 'skip password' feature in Google Account settings.
Passkeys eliminate the need for usernames and passwords, utilising public-key cryptography to authenticate users' access to websites and apps.
Each passkey is unique and service-specific, so users will have multiple passkeys correlating with their number of accounts. These passkeys operate exclusively within their respective platforms.
The system sends a random challenge to the client during login, prompting the user to verify through biometrics or a PIN, and authentication is confirmed if the resulting signed response matches the correlated public key.
The use of passkeys not only simplifies the login process by removing the need for password recall, but also offers better phishing resistance and protection against potential takeover attacks.
Other major platforms such as Microsoft, eBay, and Uber have also recently incorporated passkey support to enhance user account security.