Google validated the virtues of passkey authentication technology on Monday with an open beta version of passkey access that allows people and organizations around the world to sign into their Google Workspaces using passkeys. Google reports that nine million organizations now use Workspace.
Google is in step with many other companies in moving away from passwords and toward public/private encrypted credentials — based on FIDO standards (called FIDO2) — that are resistant to phishing exploits.
The company said passkeys will pair with on-device biometrics — like fingerprints and facial recognition, for example. Passkeys can be used across browsers, are browser-agnostic, and allow for authentication across devices. Google said its data from last spring shows passkeys are two times faster and four times less error-prone than passwords.
With the public/private keys — the basis of the cryptographic system that allows password-free logins — an encrypted key lives on a user’s device, meaning it cannot be activated unless the user themselves have unlocked the device. While the cryptographic key is stored on the device, a public key is uploaded to Google.
Passkeys enabled by industry push in 2022
Google — along with Microsoft, Apple and others — announced last year that it would start to support passkeys and participate in their development with the Fast Identity Online Alliance, better known as the FIDO Alliance, and the World Wide Web Consortium standards.
At last year’s Worldwide Developers Conference, Apple announced it would be integrating passkey support into its next version of iOS this fall. This year, ahead of World Password Day, Google, Microsoft and Apple all reaffirmed their support for passkeys, with Google doing so across Google Accounts on all major platforms.
SEE: RIP passwords; tech giants roll out passkey capabilities ahead of World Password Day (TechRepublic).
“Passkeys introduce meaningful security and usability benefits to users, and we’re thrilled to be the first major public cloud provider to bring this technology to our customers — from small businesses and large enterprises to schools and governments,” said the company in a statement.
Password managers moving to passkeys
Identity access management companies are retooling to support passkeys. As TechRepublic reported last week, 1Password began allowing passkey support using its browser tool and will soon allow passkey access to 1Password vaults. At the RSA conference this year, 1Password CEO Jeff Shiner said that he foresaw that Google’s move to a passwordless system would constitute a sea-change moment for the industry.
Cisco’s Duo authentication platform is introducing a number of passkey-based features to its platform, and in August, Dashlane introduced integrated passkey support in its security-first password manager and unveiled the first in-browser passkey solution.
At the RSA conference in April, Iva Blazina Vukelja, the vice president of product at Zero Trust at Duo, said companies are very ready to shift away from passwords.
“There are two big reasons to go passwordless,” she said. “Friction for corporate end users is a big one. When we started doing private previews and rolled out passkey authentication out to a limited set of end users, we got feedback saying it was 75% less annoying than any other authentication methods. ‘Please roll it out,’ is what they said. End users love it.”
Rew Islam, the director of product engineering and innovation at Dashlane, which is part of the W3C working group for WebAuthn, pointed out that the underlying technology for public/private keys has been around for many years. However, the key event that made the migration to passkeys possible was the industry coming together to agree on a standard, “especially the big three platforms,” he said, adding that passkeys can be managed today in Dashlane using a Chromium-based extension. “We’ve had that since last summer,” he said. “We’re waiting for Android 14, and our app is ready for it.”
Few drawbacks to passkeys
When a user creates a passkey on a shared device, by default, anyone who can use that device can therefore also login to one’s account using the public/private key handshake since they would presumably have an enabled biometric sign-on to the device. Islam said this could introduce a problem with where the keys of individuals sharing that device reside.
“Can people access the keys of others on that shared device? I think there will eventually be solutions to this issue, but it’s not obvious how, let’s say, a family manages their passkeys if they’re sharing a Mac unless they’re maintaining separate user accounts on the actual operating system itself,” he said.
Google said if one loses a device with a passkey for a Google account and worries that the device can be unlocked, they can immediately revoke the passkey in account settings.
Okta last fall announced it was rolling out a passkey management feature that allows admins to block passkeys for new enrollments at an organizational level. This feature addresses a key problem for enterprises using passkeys: authorized users who sign on with an unmanaged device.
Mukul Hinge, the group product marketing manager of workforce identity at Okta, explained the feature in a blog post that offers a good overview of passkeys and the FIDO standards that enable them. He said the feature for Okta Classic and Okta Identity Engine prohibits a user from enrolling with a multi-device FIDO credential and preempts any potential risks of unmanaged and insecure devices accessing sensitive applications.
He explained that one could access sensitive applications with, for example, an unmanaged iPad using an older, vulnerable version of iOS that does not conform to the security posture requirements of the organization. “This is a serious security vulnerability. From an admin standpoint, this needs to be addressed immediately,” he said.
Some platforms, like Apple, allow users to access accounts using a single passkey. For Apple, iCloud accounts allow the sharing of passkeys across various Apple devices, the point being that if one loses a device, they can access an account with passkeys on one of their other Apple devices.