A future without passwords has been talked about for years. And if the project still has a long way to go, it is progressing. Google, for example, is preparing to support “passkeys”, a technology intended to replace passwords for registering and logging in to online services, on Android .
In an article published this week, the 9to5Google site publishes an analysis of the code of the latest version of Google Play Services. In it, the media indicates that it has discovered character strings (text) that Google could use later when it adopts passkeys.
“Hello passkeys, goodbye passwords”, can we read on one of these channels. Another string discovered by 9to5Google explains that passkeys provide better protection than passwords, and also indicates that these keys are stored securely in the Google account.
Passkey, what is it?
The big downside to passwords is that users tend to use weak but easy to remember passwords and reuse the same passwords for multiple online services. This problem is already partially solved thanks to password managers (which allow you to have very complicated passwords without having to remember them) and two-factor authentication (which prevents hackers from accessing your account even if they have your password).
Nevertheless, the FIDO or Fast IDentity Online alliance (of which Apple and Google are members) wishes to go further, by allowing Internet users to access online services without having to enter a password. How ? Through cryptographic keys.
“FIDO protocols use standard public key cryptography techniques to provide stronger authentication. When registering for an online service, the user’s client device creates a new key pair. It keeps the private key and registers the public key with the online service”can we read on the site of the FIDO alliance. “Authentication is performed by the client device proving possession of the private key to the service by signing a challenge. Customer private keys can only be used after being unlocked locally on the device by the user. Local unlocking is accomplished by a user-friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second factor device, or pressing a button. »
In other words, if this standard is widely adopted (by Apple, by Google, but also by online services), all you have to do to open your account on a website is to unlock your smartphones. It’s more convenient, but also more secure than using a password.
On the other hand, the entire security of your online data will therefore depend on the security of your Google account or your Apple account. Also, to say that this will allow for a 100% password-free experience is misleading. Indeed, you will still need to remember the password for your Apple or Google account, but it will be the only password you will have to remember.
As a reminder, the Google I/O 2022 conference is scheduled for May 11 and 12. Is it possible that Google will present this novelty at this event?