What Is a Passkey?
A passkey is a digital credential, tied to a user account and a website or application. Passkeys allow users to authenticate without having to enter a username or password, or provide any additional authentication factor. Instead of typing a password, users can sign in to apps and websites with a biometric sensor (such as a fingerprint or facial recognition), PIN, or pattern.
How Passkeys Work
Passkeys use public-key cryptography - a system that creates two mathematically linked keys:
The Key Pair System:
- When you create a passkey, your device generates a private key (stored securely on your device) and a public key (shared with the website)
- The key pair is specific to a website. One half is shared with the website, and the other half is private and stored on your device or in your password manager
The Authentication Process:
- When you try to sign in, the website sends a challenge to your device
- Your device uses the private key to solve this challenge
- The public key is used to create a challenge that can then only be solved if you have access to the private key which is secret and known only to you
- You verify your identity using biometrics (fingerprint, face scan) or a PIN
- If everything matches, you're logged in
Key Security Advantages
Phishing Protection:
- Passkeys protect users from phishing attacks. Passkeys work only on their registered websites and apps; a user cannot be tricked into authenticating on a deceptive site because the browser or OS handles verification
Unguessable and Unstealable:
- Passkeys are nearly impossible for hackers to guess or intercept because the keys are randomly generated and never shared during the sign in process
- Unlike passwords, passkeys can only exist on your devices. They can't be written down or accidentally given to a bad actor
Data Breach Protection:
- Developers only save a public key to the server instead of a password, meaning there's far less value for a bad actor to hack into servers, and far less cleanup to do in the event of a breach
Privacy and Storage
Local Storage:
- Your biometric data, used for fingerprint or face unlock, stays on your device and is never shared with Google
- The private key never leaves your device, ensuring your authentication data remains private
Cross-Device Usage:
- Users aren't restricted to using the passkeys only on the device where they're available—passkeys available on phones can be used when logging into a laptop, even if the passkey isn't synchronized to the laptop, as long as the phone is near the laptop and the user approves the sign-in on the phone
The User Experience
From a user's perspective, signing in with a passkey is simple:
- Go to a website and enter your username
- Instead of typing a password, you'll see a prompt to use your passkey
- Unlock your device using your fingerprint, face scan, or PIN
- You're instantly logged in
Passkeys are 4x simpler to use since they don't need to be remembered or typed. You just use your fingerprint, face scan, or screen lock to sign in across all your devices and platforms.
Passkeys represent a significant step toward a passwordless future, combining enhanced security with improved user experience by eliminating the need to remember complex passwords while providing stronger protection against modern cyber threats.
What Gmail Account Holders Need to Do
Gmail users are not required to set up passkeys, but Google has started promoting passkeys as the default login option for Google accounts and strongly recommends them for enhanced security. Here's what users should know:
Setting Up Passkeys:
- You can create passkeys only on personal devices that you control
- Device requirements include laptops or desktops running at least Windows 10, macOS Ventura, or ChromeOS 109, and phones running at least iOS 16 or Android 9
- To create passkeys on multiple devices, repeat these steps from those devices
- You'll need one passkey per device, unless the device has some mechanism to "synchronize" passkeys to other devices already, like with Apple iCloud
Important Considerations:
- When you create a passkey, you opt in to a passkey-first, password-less sign-in experience
- Once you create a passkey on a device, anyone who can unlock the device can sign back into your Google Account with the passkey
- You can continue to log in using your traditional log in method, which in most cases would be using your username and password
How RoboForm Handles Passkeys Across Multiple Devices
RoboForm offers a significant advantage for passkey management across devices:
Cross-Device Synchronization:
- Storing passkeys in RoboForm allows you to use your passkeys on every device that RoboForm is installed on, not just the device the passkey was created on
- This removes the need to create multiple passkeys and save them in the individually managed providers on each device
- They sync across all devices with RoboForm installed — desktop apps, browser extensions, and mobile apps (iOS 17 or Android 14 or higher, required) — so you don't need multiple passkeys for each device
Platform Support:
- RoboForm supports passkeys in our desktop apps and standalone browser extensions
- RoboForm supports passkeys in our desktop apps, standalone browser extensions, and mobile apps. For the mobile apps, iOS 17 and Android 14 or later is required
Setup Process:
- When generating a new passkey for an existing account or during the setup of a new one, RoboForm will prompt you to save the newly created passkey
- If you have previously saved a RoboForm Login for this online account, the newly generated passkey will be integrated into it
Bottom Line: While Gmail users aren't forced to use passkeys, Google strongly encourages their adoption for better security. RoboForm provides a significant advantage by allowing passkeys to sync across all your devices, eliminating the need to create separate passkeys on each device—something that native device storage doesn't offer.
Google Confirms Most Gmail Users Must Upgrade All Their Accounts
No comments:
Post a Comment