Security vulnerabilities are very scary: if a hacker has your username and password and you don’t have two-factor authentication, your account and its information could end up in the hands of a stranger. But having a strong password for each of our services can become an odyssey of imagination and mnemonics. To remedy this, Google got to work and its access keys are now a reality: Google has enabled passwordless login for all accounts. Is this the last goodbye to passwords?
Access keys, presentations
Let’s start at the beginning. In 2022, Apple, Google and Microsoft announced that they were working with the Rapid Identity Online Alliance (abbreviated as FIDO) to adopt a new way of logging in with a password. Access keys are credentials used for authentication that are synced between your devices through a cloud service and precisely that cloud service also stores an encrypted copy of the credentials.
In summary, these access keys are generated with the authentication of our device, so to access these applications or websites you will only have to verify your identity with your face, your fingerprint or your code PINE. Accordingly, in the near future, it aims to eradicate the use of passwords, providing a more comfortable and secure way to log in to websites and apps. Apple implemented this feature with iOS 16 and Google did the same a few days ago.
The use of biometric systems to access the Services does not imply that you send sensitive information to a server. Google explains it: “Biometric materials never leave the user’s personal device“. Also, they do not serve as a tracking vector to monitor users or devices like a cookie.
Google has been working on finding a substitute for passwords for some time, and it looks like it’s finally released the cat. The fact that Apple and Microsoft are also involved in the case allows us to believe that we have reached a industry standard with minimal security, storage, compatibility and deployment in our daily life.
Although the above looks easy, in practice it is not so easy. If you created a password for a website from your Android phone, your thing would be to be able to sit down in front of your Mac and access that page…as long as you have your phone with you. And the same if you now go to your Windows desktop computer. Stick with this example because we’ll get to that later.
Passkeys yes, password manager too
But security keys are not a panacea. For starters, they’re pretty new, which means not all websites or applications accept them. It is likely that in a few months the development teams will implement them, so it is worth paying attention to compatible services so that the use of security keys makes sense. On the other hand and finally, keep in mind that even if the use of passwords is drastically reduced, our phone’s PIN will continue to exist as the last bastion of keys.
Additionally, web pages will retain existing passwords, as keys and access keys will need to co-exist long enough for everyone to have access key hardware and software. But it is that even if a service now begins to offer access keys, you may not be able to use it with all your devices. You can’t trust everything over the phone.
What happens if I lose access to my mobile? A few years ago my phone was stolen just before I left on a trip to Greece. There was my hotel reservation, my plane tickets and many other valuable documents that I had to retrieve from a telestore. With the master keys, this event would have had even more dramatic connotations.
In theory, not having access to your device is not a problem as long as you have multiple devices at hand, precisely to access with them. This is where password management systems like Google or iCloud Keychain come to you out of the blue. Either way, the recovery process should be robust enough to keep strangers out of it and at the same time, not a pain in the ass (especially if tech isn’t your thing). And the thieves? To access your information, they will first need to unlock it.
A practical example: my partner and I share an Amazon account (it’s actually mine, but we bought both) to buy what we need when it suits us, taking advantage of specific offers. At first glance, this type of sharing seems complicated with master keys. Apple lets you use AirDrop to share passkeys with other devices on the bitten apple. First things first: she uses an Android and Windows phone, I have everything on Mac except my work phones. I imagine that sooner or later Google and Microsoft will implement similar tools, but theirs would be share passwords across multiple devices beyond operating system and brands. Another option is that some websites allow account sharing.
With all of the above, passwords and their weaknesses will remain. Surely there are sites and services that make it possible to get rid of keys in favor of master keys, but who will take the plunge? It’s a leap in security, but it also means missing something as “just in case” as the password. Let’s think twice and rest assured, not everyone will (rightly so).
With these scenarios, for me (and surely for many other people) still need a password manager to log in quickly, efficiently and securely without taking the minutes to try to remember them and use the test – error to end up resetting the password from time to time.
Knowing that it is advisable to have a unique password for each service and that it must be long, with combinations of upper and lower case letters, numbers, characters…remembering passwords is clearly not easy. But generate them, neither. And that other thing that password managers do that I really appreciate: their ability to create multiple complex and unique passwords. Because everything indicates that passwords have not yet said their last word.
Home | Photo by Onur Binay on Unsplash
In Xataka Android | How to create passkeys on Android phones to forget passwords when logging in