Google introduces secure passkey synchronization across devices
Update, Sept. 20, 2024: This story, initially published on Sept. 19, has now been updated to include a detailed explanation on password cracking and hashing technologies.
As the future of secure logins, passkeys are being widely adopted. 1Password has described them as “nearly impossible for hackers to guess or intercept“, and Google has implemented them to “replace traditional hardware keys and two-factor-authentication for those at high risk“. Recently, Google has taken a significant step forward by enabling secure passkey synchronization across various devices, including Chrome on Windows, macOS, Linux, and Android, with iOS support anticipated soon.
Prior to this development, though passkeys were acknowledged as simpler and more secure than traditional passwords, Google users could only store their passkeys in Android’s Password Manager. This limitation meant that using passkeys on other devices required scanning a QR code from your Android device, a cumbersome process that drove some users to consider alternate providers like 1Password or Apple. However, this scenario is changing as Chirag Desai, a product manager for Chrome at Google, announced updates designed to streamline the user experience, eliminating the need for QR codes.
Once you save a passkey on any device, it will sync across all your devices, allowing you to sign into any service or account simply by scanning your fingerprint, Desai revealed. This synchronization is based on a new feature of the Google Password Manager involving a PIN, which enhances security. Desai emphasized that this setup ensures “your passkeys are end-to-end encrypted and cannot be accessed by anyone, not even Google.”
Google Password Manager’s newly introduced passkey creation PIN
To start using passkeys on a new Android device, you either need to enter your Google Password Manager PIN or use your device’s screen lock. Importantly, no additional apps are necessary since passkey support is integrated into Chrome and Android devices already.
Google’s recent declaration about a password-less login system couldn’t have been more timely. Although no solution is completely foolproof, adopting passkeys over traditional username and password combinations marks a significant advancement in security. Intriguing research from Gediminas Brencius, the head of product growth at NordPass by NordVPN, explores how cybercriminals attempt to break into stolen passwords, providing much food for thought.
Addressing the key issue straight away: if passwords are stored in plaintext, it’s akin to handing it directly to a cybercriminal. Many systems use a process called hashing, where a password is transformed by a mathematical function into a binary sequence of a set length, no matter the initial password’s length. Crucially, this transformation is designed to be a one-way street—it’s straightforward to generate a hash from a password, but reversing this to decipher the original password is extremely hard, though not entirely impossible. Given that each specific input always generates the same hash, theoretically one could use brute-force methods to reconstruct what the hashed password might be, but this approach demands considerable time and computational power.
“Various hashing algorithms possess different levels of computational complexity, influencing how swiftly a hacker might crack the encrypted data,” noted Brencius. “bcrypt and Argon2, for example, are intentionally slow to prolong brute-force efforts, whereas MD5 or SHA-1 can be processed more rapidly.”
The speed with which passwords can be cracked is critical. With adequate computational resources, what seems nearly unachievable becomes feasible. “Ordinary consumer computers typically have between 4 to 64 cores and are suited for general tasks,” explained Brencius, “however, the more cores a system has, the more tasks it can handle concurrently.” This is why malicious entities often deploy networks of potent machines, each with several GPUs, facilitating access to thousands of computational cores. “Cybercriminals might utilize a network of compromised computers or employ cutting-edge hardware to break into systems,” Brencius elaborated, “and sometimes, particularly for high-stake targets, they might even rent the necessary capabilities.”
Thus, the recommended strategy for password creation is to use longer passwords. A random combination of 25 characters or a passphrase made up of various unrelated words, substantially increases security over short, simplistic passwords. Now, the optimal protection involves using a passkey, coupling something a person knows with something they physically possess, making unauthorized access significantly harder.
Passkeys originated as a joint Apple, Google and Microsoft initiative developed with the FIDO Alliance, an open industry association that aims to reduce people’s reliance on passwords. Based upon public key cryptographic protocols, the same as those that underpin hardware security keys, passkeys are considered phishing-resistant, which is of huge importance considering today’s threat landscape. Passkeys are “resistant to phishing and other online attacks,” Google said, “making them more secure than SMS, app-based one-time passwords and other forms of multi-factor authentication.”
A passkey credential is on-device, registered only once and then re-used as often as needed, using the device’s biometric user verification system, be that fingerprint or facial scanning. If no biometrics are available, then they can be used with a PIN code. The important thing is that it’s the possession of the device by the user, who authenticates as such with those biometrics, that makes passkeys secure. The remote server at the service, site or account you are trying to sign into will simply ask the user to activate their screen lock to complete the authentication process.
Passkeys are designed according to the FIDO Alliance standard, so any implementation can work seamlessly with any browser or operating system. Importantly, the user’s biometric screen lock data is never sent to the site you are logging into; Google will never see it. Instead, just the cryptographic proof that you’ve activated the screen lock successfully is transferred. You can try them out at Passkeys.io, where a simple demo account shows how easy they are to use and create.
One Community. Many Voices. Create a free account to share your thoughts.
Our community focuses on building connections through open and thoughtful discussions. We encourage our readers to engage by sharing their perspectives, ideas, and factual information in a respectful environment.
Please adhere to the guidelines set out in our Terms of Service while participating. Here is a brief overview of important rules to follow to ensure constructive interaction:
Posts will be declined if they appear to include prohibited content as outlined in our policies.
User accounts will be suspended if it’s determined that the activities violate our community standards.
So, how can you be a power user?
Thanks for reading our community guidelines. Please read the full list of posting rules found in our site’s Terms of Service.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.