RIP passwords? Passkey support is rolling out to stable Chrome

Passkeys are there to (try to) kill the password. Following Google’s beta rollout of the feature in October, access keys are now coming to Chrome stable M108. “Passkey” is built on industry standards and supported by all major platform providers – Google, Apple, Microsoft – as well as the FIDO Alliance. Google’s latest blog says, “With the latest version of Chrome, we’re enabling passkeys on Windows 11, macOS, and Android.” Google Password Manager on Android is ready to sync all your passwords to the cloud, and if you can meet all the hardware requirements and find a support service, you can now login to anything with a password. outmoded.

Password keys are the next step in the evolution of password managers. Today, password managers are a bit of a hack – the password text box was originally meant to be entered manually by a human, and you had to remember your password. Then password managers started to automate this typing and remembering, making it easier to use longer and more secure passwords. The correct way to handle a password field today is to have your password manager generate a string of random, non-memorable junk characters to paste into the password field. Password gets rid of that legacy text box interface and instead stores a secret, forwards it to a website, and if it matches, you’re logged in. Instead of passing a randomly generated string of text, passwords use the standard “WebAuthn” to generate a public-private key pair, much like SSH.

While anyone can understand the compatibility issues, access keys offer big advantages over passwords. While passwords can be used insecurely with short strings of text shared across many sites, a passkey is always enforced to be unique in content and secure in length. If a server breach occurs, the hacker doesn’t get your private key and it’s not a security issue like a leaked password would be. Passkeys aren’t phishable, and because they require your phone to be physically present (!!), some random hacker on the other side of the world can’t log into your account anyway.

So let’s talk about compatibility, starting with this phone requirement. Passkeys require an Android or iOS smartphone, even if you’re connecting to a laptop or PC. The first time you set up an account on a new device, you need to make sure your authenticating device (your smartphone) is near everything you’re connecting to. This proximity check happens via Bluetooth. All master keys are really aggressive to point out that sensitive data isn’t transferred over Bluetooth – it’s just used for proximity verification – but you’ll still need to deal with Bluetooth connectivity issues to begin with.

When logging into an existing account on a new device, you also need to choose the device you want to import a password from (probably also your phone) – if these two devices are in the same big-tech ecosystem, you’ll hopefully see a nice device menu, but if not, you’ll have to use a QR code.

Second big problem: did everyone catch that top OS list? Google supports Windows 11 with access keys, not Windows 10, which will make it a tough sell. Statcounter has Windows 11 at 16% of the total Windows install base, with Windows 10 at 70%. So if you create a passkey account, you can only log in on newer Windows computers.

Passkeys are stored in each platform’s built-in keystore, i.e. Keychain on iOS and macOS, Google Password Manager (or a third-party app) on Android, and “Windows Hello” on Windows 11 Some of these platforms have key synchronization across devices, and some don’t. So signing in to an Apple device should sync your passkey access to other Apple devices via iCloud, and the same goes for Android via a Google account, but not Windows or Linux or Chrome OS. Syncing, by the way, is your escape if you lose your phone. Everything is always backed up to your Google or Apple account.

Google’s documentation usually doesn’t mention Chrome OS at all, but Google says, “We’re working on enabling access keys on [Chrome for] iOS and Chrome OS.” There is no support for Android apps yet, but Google is also working on it.

Now that this is actually working on Chrome 108 and a supported OS, you should be able to see the password screen under the “autofill” section of Chrome settings (or try pasting chrome://settings /passkeys in the address bar). Next, we’ll need more websites and services to support using a password instead of a password to log in. you cannot yet replace your password. Everyone’s passkey example is the passkeys.io demo site, which we have a walkthrough of here.