Google has created something called a “digital passkey” to replace passwords.
Given that many Techs harbor a perverse view that poking at obscure bits of software in unnecessary ways is somehow fun, I dread the results of this likely-misplaced-endeavor.
Dopers, what is the skinny on this stuff, why do it, how do I avoid using it (until the bugs are worked out), and what do I do if it goes wrong, & locks me out of my devices?
I haven’t tried it yet. But the idea is that it creates a unique code on your device that is transmitted to authenticate you. The trick is that your device must be configured to unlock with biometrics or PIN (or I suppose a pattern on Android). If you do not turn on device locking then you can’t use the passkey.
You can also use your mobile device to authenticate when you login to Google on any other device. You go to a desktop browser and login to Google, and a pop-up appears on your phone, you use your biometric/PIN to authenticate, and Google logs you in on the browser. Even if you activate a passkey on your phone, you will still have the option of using passwords on other devices.
Why? You would do it so you don’t have to manage a password. I predict that passwords will become obsolete before long. People are terrible at making secure passwords and now-pointless restrictions on including special characters, etc., make passwords hard to remember so…people write them down.
How? Avoiding it is easy. Just don’t create a passkey. It’s not automatic, you have to opt in.
What? It can’t lock you out of your device. You don’t use it to manage your device itself, only the Google services that your device connects to. It comes into play only after your device is unlocked. In fact the whole assumption is that your device is secure, so if it’s unlocked it must be you using it. Worst case is you can’t connect to Google internet services.
Exactly. And hopefully soon.
Security should be a combination of “something you have” and “something you know”. So in this case it would appear to be “your phone” and “your PIN/biometric ID”.
For secure facilities it is often “your badge” + “your PIN/biometric ID”.
Passwords are the worst, since they are just “something you know” and often not even that since simple ones are easily guessed/hacked and complicated ones have to be written down.
So if I lose my device, or get a “blue screen of death” how do I get back into Google?
Passwordless login with passkeys | Authentication | Google for Developers says passkeys are not stored solely on the phone:
On Chrome on Android, passkeys are stored in the Google Password Manager, which synchronizes passkeys between the user’s Android devices that are signed into the same Google account.
For many, possibly even most, people, “the user’s Android devices that are signed into the same Google account” is solely the phone.
Yes, but the point is if your phone is broken or lost, you can get a new phone, sign it into your Google account, and get your passkeys back. They’re not lost they way they would be if they were just stored in the phone’s memory.
Your phone is a cache.
The authentication is that you have exclusive control of your phone number. New phone, new SIM even. The root of the identification is that your telco believes who you are. This is in itself a problem.
My phone died, new one is in transit but won’t come until Monday.
I have a work phone that can limp me thru the weekend. I tried signing into my google acct so at least I have access to my contacts list. I tried doing this from home where my PC is also signed in. Nope, first it asked me to use three phones ago, then it asked me to use my until-a-couple-of-days-ago phone. There is no way around this, even when I chose the ‘it was me’ option to the suspicious login email I got on my PC! If I’m an home I can pull up any contact I want from my PC but the minute I go out today I’m SOL.
Stoopit @#$%^ design!!!
Google lets you create backup codes, for precisely this occurrence. These are eight-digit codes that you key in place of your phone or other device. Of course, this necessitates actually creating the codes before you lose your device and storing them in a safe place.
I ran into the problem with using phones for security when we moved from Taiwan to Japan. My Taiwan phone number was disabled and it was quite a pain to get certain things verified.
I don’t usually check my personal email at work, but yesterday I had a good reason to do so. My phone, for whatever reason, wasn’t picking up the towers (or more likely, was picking up only some other carrier’s towers, since it said “emergency calls only”), so I decided that I had a good enough reason to log in on my work computer. Which, of course, wanted to verify by sending a code to my phone which wasn’t working at the moment.
I have heard anecdotes about people who get their phone numbers hijacked. I don’t know how common this really is, but it happens.
If the purpose of a passkey is toreplace the password, but require the phone, how does this work?
Bad enough that some services require the two-part authentication via a text message. Again, no phone no can do…
Sillier, my wife has an iPhone app that provides a time-sensitive code along with her password for remote work login. First it made her change to a 6-digit PIN. Then it made her delete TikTok. The other day it required her to change her PIN (You have used the same PIN for too long). Fortunately, it did not stop her from immediately reverting to the original PIN 5 minutes later. Ah, security…
I had a coworker whose trick around the password repetition limit was to use Onze11!, Douze12!, Treize13!, Quatorze14!, etc.
SIM hijack. Someone goes into a cellphone store and says"I lost my phone…" gets a replacement phone and SIM with your phone number (thus disabling yours). They now get the text messages for validating logins or changing passwords that you would have gotten. There was some debate whether the store meployee in such a case was simply stupid or accepting a payoff. Theoretically now they require some sort of ID, etc.
I haven’t seen this in practice, so I don’t know for sure, but from what I’m gathering you can sign in to your Google account with a fingerprint (or perhaps a password if your phone doesn’t have a fingerprint sensor). It’s like password managers, that have one master password to get access to your password vault.
I just checked. I can log into Google either with a passkey or password+MFA. Everyone can stop fretting.
MFA?
Que?
Multi-factor authentication. Which also requires a phone.
A phone, tablet, security key, most password managers, etc.
So basically you have to set up multiple devices to all chime with a text message if you try to login, thus allowing the theft of any one device to compromise your login…
And you have to rely on your favourite web services to have humans to answer the help line phone and sort things out if you lose the only device that does your MFA.
Simple thing - for things like banking on my phone, I must enter my (not same as other stuff) password every time.
I guess the question is - if I get a new iPhone and create a new fingerprint ID on it (same finger) does it create a token identical to my previous iPhone? Or is the phone ID also wrapped up in the that encoding?