Many of the leading tech players are working hard to get rid of traditional passwords, and a promising candidate that is supposed to replace them is called “passnøkler” (passkeys), which Digi.no has mentioned before.
The transition to passport keys has taken some time, but now one of the major players is taking a big step towards everyday, password-free living. on her official blog Namely, Google has announced that it has started rolling out Passkeys as a solution for logging into Google accounts.
It is based on FIDO technology
This means that you no longer need to use a password to log into your accounts.
Passkeys is a new solution that the three giants Google, Apple and Microsoft have officially devised and started implementing in their services.
technology developed FIDO Alliancemeans that users can log into online services simply by unlocking their mobile phone or other devices using the usual 2FA methods, such as a fingerprint, a PIN code, or a face scan.
In other words: If you are sitting at your computer and want to log into a FIDO-enabled service, you will receive a message to verify your mobile, at which point you authenticate yourself using mobile biometric solutions or a PIN code.
Safer and easier
The method works by the fact that the login data, thus called passkeys, are stored locally on the device. When you sign into an account, a private/public key pair is generated first for the website you’re logging into, which happens entirely locally on the device you’re using.
The public key is sent to the website where it is stored, while the private key is stored securely on the device used for authentication, such as a mobile phone. The next time you log in, the website creates a challenge that is signed with the private key, and then the full signature is sent to the website.
The website then uses a copy of the user’s public key to validate the signature.
One of the advantages of passkeys is that they are easy to use, because the user does not need to fill in or remember any of the login data. The solution is also more secure, as the private key is never shared with the website, and both keys are required to access the account.
Effective protection against phishing
If the hacker obtains the public key, the person concerned still cannot access, and the public key cannot be used to reveal the private key. Unlike passwords, passkeys are strong and unique by default, as they are not generated by the user themselves.
At the very least, the solution provides more or less foolproof protection against phishing attempts and other types of fraud attempts based on the user filling in sensitive data on fake websites.
Google has already launched support for passkeys for Chrome and Android (subscription required), and among the other services that support the technology is popular password service 1Password — which got support in February of this year.
Widespread use of the solution requires developers and other players to build support into their services, which is a lengthy process.
“Web specialist. Lifelong zombie maven. Coffee ninja. Hipster-friendly analyst.”
