Update, Sept. 20, 2024: This story, originally published Sept. 19, now includes an explainer regarding password cracking and the use of hashes.
Passkeys are, without a doubt, the future of login security. 1Password has called them “nearly impossible for hackers to guess or intercept” and Google uses them to replace hardware key and two-factor authentication for high-risk users. Now Google has gone one step further in this move to a passwordless future: secure syncing across devices with Chrome on Windows, macOS, Linux and Android platforms right now, with iOS still in development but promised soon.
Google Announces Secure Passkey Sign-In Across (Nearly) All Your Devices
Until today, although pretty much everyone agrees that passkeys are both more straightforward to use and more secure than traditional password logins, Google only allowed you to save your passkeys to the Password Manager using Android. Sure, you could use them wherever you liked, but that involved scanning a QR code on your Android device, which, I can say from personal experience, made me look for alternative passkey providers such as 1Password and Apple. All that has changed with a new announcement by Chirag Desai, a Chrome product manager at Google, concerning updates that are now rolling out to make the experience as hassle-free as it should be. No QR codes required.
Once a passkey has been saved, no matter which device you used to do so, it will then automatically sync across your other devices so as to make signing in to any account or service just a matter of scanning your fingerprint, Desai announced. Once a passkey has been saved, no matter which device you used to do so, it will then automatically sync across your other devices so as to make signing in to any account or service just a matter of scanning your fingerprint, Desai announced. This new syncing ability revolves around a new Google Password Manager PIN that adds another layer of security to the process, ensuring “your passkeys are end-to-end encrypted and can’t be accessed by anyone, not even Google,” Desai said.
You will need to have either your Google Password Manager PIN or use the screen lock on your device when starting to use passkeys for the first time on a new Android device. However, no new apps are required as passkey support is already built into both Chrome and Android devices.
How Hackers Crack Your Passwords
If a new announcement about login authorization without passwords ever came at the right time, it’s Google’s one. Although no technology can ever be 100% secure, using a passkey instead of a username and password combo is a massive step towards a more secure process. New research from Gediminas Brencius, head of product growth at NordPass, the password manager from well-known VPN provider NordVPN, delves into the techniques threat actors use to crack stolen passwords—and it’s thought-provoking stuff.
Let’s get the elephant in the room out of the way immediately: if your password is stored as plaintext, then you may as well have just messaged it to a hacker. Most services will employ something known as hashing, a one-way mathematical function that converts a variable-length plaintext password string into a binary sequence with a fixed length. No matter how long your password or passphrase is, the hash will always be the same fixed length. The one-way thing is essential here, as it’s easy to convert the password into the hash but extremely difficult to reverse the process; difficult, but not impossible. Because every input will produce the same hash output, it’s possible to brute-force, through trial and error, what a complete hashed password looks like, but it takes a significant amount of time and computing resources.
“Different hashing algorithms have different computational complexities, which affect how quickly a hacker could guess the encrypted values,” Brencius said, “bcrypt and Argon2 algorithms are designed to be slow so as to make brute force attacks more difficult while MD5 or SHA-1 can be computed faster.”
Speed is, quite literally, of the essence when talking about cracking passwords. The all but impossible becomes within the realms of doability with enough computing power. “Standard personal computers are designed for general-purpose computing and have a limited number of cores, usually 4 to 64,” Brencius said, “the more cores they have — the more parallel tasks they can run at the same time.” Which is why threat actors will look to using networks of high-powered devices running multiple graphics cards, to give access to thousands of cores. “They employ a whole network of infected machines or use the most powerful computers to crack passwords,” according to Brenicus, “they do not always own this hardware — in some cases, especially if the target is of significant importance, they can rent the required tools.”
This is why the advice when it comes to password creation will always be to make them longer. A standard password string of 25 random characters, mixing up the keyboard types, or a passphrase combining multiple random words, will be ridiculously harder to crack than a short, simple one. Of course, the advice now should be to always use a passkey where available as the hacker would need access to your biometrics and your device to crack one of those.
Passkey Technology Explained
Passkeys originated as a joint Apple, Google and Microsoft initiative developed with the FIDO Alliance, an open industry association that aims to reduce people’s reliance on passwords. Based upon public key cryptographic protocols, the same as those that underpin hardware security keys, passkeys are considered phishing-resistant, which is of huge importance considering today’s threat landscape. Passkeys are “resistant to phishing and other online attacks,” Google said, “making them more secure than SMS, app-based one-time passwords and other forms of multi-factor authentication.”
A passkey credential is on-device, registered only once and then re-used as often as needed, using the device’s biometric user verification system, be that fingerprint of facial scanning. If no biometrics are available, then they can be used with a PIN code. The important thing is that it’s the possession of the device by the user, who authenticates as such with those biometrics, that makes passkeys secure. The remote server at the service, site or account you are trying to sign into will simply ask the user to activate their screen lock to complete the authentication process.
Passkeys are designed according to the FIDO Alliance standard, so any implementation can work seamlessly with any browser or operating system. Importantly, the user’s biometric screen lock data is never sent to the site you are logging into; Google will never see it. Instead, just the cryptographic proof that you’ve activated the screen lock successfully is transferred. You can try them out at Passkeys.io, where a simple demo account shows how easy they are to use and create.