Google Adds Passkey Support to Chrome and Android
Google has added passkey support to Chrome and Android as of Wednesday, October 12. Currently, two capabilities are in beta: “Users can create and use passkeys on Android devices, which are securely synced through the Google Password Manager, [and] developers can build passkey support on their sites for end-users using Chrome via the WebAuthn API, on Android and other supported platforms.”
More progress away from reusable passwords is always a good thing. Password manager software products such as Dashlane have added passkey support, as well. VPN/remote access providers should accelerate rolling out standards-based passkey support as should all of the platform as a service providers (such as in healthcare and retail) to make broad adoption happen faster.
Passkey is what most vendors are calling the FIDO based implementation of strong (or phishing resistant) MFA. Apple has already announced something similar, with Microsoft and other big vendors supporting the solution soon (if not already). This solution replaces traditional passwords and other versions of MFA with a public-key cryptography /biometric solution. While the backend technology can be quite complex, it greatly simplifies authentication for people as there are no passwords to manage, people simply authenticate via biometrics. To help me better understand all of this, I forced myself to write a blog explaining in very simple terms passkeys / phishing resistant MFA. https://www.sans.org/blog/what-is-phishing-resistant-mfa/
As a transition to passwordless, these passkeys are essentially the public key that is verified by unlocking the private key on your device (e.g., android) using biometric authentication. Google is making these cross-platform and encouraging developers to include support for passkeys in applications to raise the bar on “standard” logins.
I have concerns around passkey and it's Apple equivalent. The concern isn't the technology per-se, it's the extreme lock in. Say you have several hundred passkeys. How easy would it be to migrate between systems? Do developers have to keep adding more and more identity provider integrations?
The excuses for the continued use of passwords are fast disappearing even as their contribution to breaches persists.