Passwords have got to be one of the weirdest things we’ve integrated into our daily lives. Almost every site you visit asks for a login, so we’re left guessing which of the piles of passwords it wants. You might have a password manager to help you deal with all this, which usually needs its own unique password, but do tend to be safer when hacked. As a kid I thought passwords were relegated to fiction, as likely to crop up in ordinary life as quicksand. While they’re a constant part of my daily life now, passwords may soon be sent back to the storybooks where they belong.
The Guardian (opens in new tab) reports Google is set to begin rolling out passkey technology—a replacement for passwords that will hopefully make everyone’s lives a little easier. This tech isn’t brand new, Apple and Microsoft have both already started using it, but a giant like Google bringing passkeys to its account system could well mark the beginning of the end for passwords.
Rather than require you remember a string of characters, passkey works by allocating a cryptographic private key to a particular device. This lets you use biometrics logins or pin codes to manage logging into services from that device. It can also use apps to share this key to multiple devices, or users can create a unique one per item. Google checks this key against its own stored public key to make sure you’re you.
This shifts all the hassle of remembering complicated strings to your device rather than your brain. If you’re logging into a website on your phone, then your phone will check your stored key against the website’s unique login challenge to generate a unique signature. The signature can then be verified by Google against its public key, and log you in. This means the key stored on the device is never actually shared—only the signatures generated are ever visible.
This is great for preventing things like phishing scams that trick users into clicking a link and entering their password into a fake site. This way, rather than getting your password, these kinds of exploits should only ever get a generated key, and it’s unlikely bad actors will be able to do much with that. The passkeys will be unique to each service too, giving an extra layer of protection. Still, until passkeys come out, here’s a reminder to upgrade your passwords and make them different for every site.
This system allows users to automatically have unique encrypted ways to access every service they use. As people create passwords and need to remember them, it’s pretty common that we repeat similar ones, or worse, the same one across multiple accounts. Even CEOs are known for having some super easy passwords. Because of this, passwords are often leaked or hacked from one site, and then used to login to other sites.
The good news is passkeys aren’t completely locked down to one device either. You can share the code to a new device with a code, and then verify they’re within range of each other using Bluetooth. Access from devices can also be revoked in account settings, making it easy to secure yourself from lost or stolen items so long as you can log in somewhere else.
The change won’t be immediate and passkey tech still needs some testing, but it looks like we might live to see the day we’re done with pesky unsafe passwords. With AI already able to crack some of the most common passwords instantly and quantum computing not far down the line, it’s high time we moved on to something safer and easier for humans to cope with, and much more difficult for computers.