Google Passkey, a way to get rid of passwords

On World Password Day 2023, Google released a feature called Google Passkey to make it easier to use multiple factor authentication in its products, but that’s not exactly what got the most attention.

In 2005, security researcher Mark Burnett, suggested in his book entitled “Perfect Passwords”, or in free translation, “Senhas Perfeitas”; that every person should have a password day, where you would change their passwords on that date at least once a year.

It was inspired by this security recommendation, which Intel launched in 2013, a worldwide campaign to change passwords and reinforce the message that your passwords should be strong, in the sense of easy to remember but difficult to guess. In this way, every first Thursday of May of each year, we usually celebrate World Password Day.

A password day or a day to stop using them

Among the various suppliers of security solutions, and in particular, suppliers of products aimed at access control, usually use the date created by Intel, to now encourage the use of Multiple Authentication Factor (MFA), which today is considered the most cost-effective alternative for system protection, since the password, as we well know, has several security flaws.

This year, 2023, was no different, and even the Cybersecurity & Infrastructure Security Agency (CISA), an American cybersecurity agency, campaigned for companies to enable MFA in their structures.

It was in this context that Google launched its new feature into production.

From now on, if you are a user of a Google account, you can access https://g.co/passkeys and activate your passkey to replace your password on the service.

But what is a passkey?

Passkey vs. Password

But what exactly is a passkey and why is it more secure than my password?

In the Passkey system, you will need a device, be it a phone, a laptop, a browser. And in this device, you must have a “key cabinet”, or in English a KeyChain.

Today’s smartphones, practically 100% of them have secure hardware technologies for storing encryption keys. Laptops, and even virtual machines, have hardware devices called Trusted Platform Module (TPM).

Every operating system and device hardware has a way to open this key vault. Cell phones with Android or iOS use biometric authentication to open the vault.

On Windows, Windows Hello uses cameras, fingerprint readers to open the key vault.

And using this system, Google enables the passkey. In the process, the user authenticates for the last time with his password, and Google generates a specific cryptographic key for the passkey or device you are registering to authenticate.

This key generated by Google will be stored inside the key vault, or TPM of the registered device.

Every time the user wants to use the Google service, he will have to authenticate locally on his device using his biometrics, this authentication when positive will open the key vault and the system will use the Google key to authenticate in the Google service. Google.

For the user, it’s authenticating with biometrics, but behind the curtains, it’s an encryption key that’s identifying a device previously registered with Google.

So is this the magic of Google Passkey?

Yes and no. Today I told the secret of magic, as the magician Mister M.

But what surprised the security community the most is that this Passkey functionality was rolled out en masse to all users of Google services.

It is estimated that there are 4.3 billion users of Google services. If Google were a country, it would have the approximate population of Panama.

Imagine the effort to implement a project of these proportions. On a specific date, you can deploy a security and authentication feature like this for an entire population.

In the past, Apple has also done a similar feat.

You may remember from the Fappening Attack, when hackers started to break into celebrities’ iCloud accounts and as their iPhones used to sync photos, contacts, and calendars with the cloud service, the attackers got hold of private photos and nude photos of celebrities that were hosted on Apple cloud.

In a matter of days, Apple implemented a second authentication fact that sends a one-time password, One Time Password (OTP), and that uses geolocation and approval requests to log in on the user’s cell phone.

A project that in a normal company would take months, was implemented in days.

Ryan Collins, 36 years old at the time, was the hacker who broke into and leaked intimate photos of actress Jennifer Lawrence, in the attack known as the Fappening Attack. He was sentenced to 18 months in federal prison in 2016.

Author: fabio

Fabio Sobiecki is a systems analyst, graduated from Unopar and specialist in Information Security from Senac and has an MBA from FGV. Since 2004, he works with Information Security, between 1998 and 2004, he worked with information technology, in the area of infrastructure and computer networks. Fabio Sobiecki is certified by (ISC) 2 as CISSP and CCSP, since 2008 and 2017, respectively. He is currently president of the São Paulo chapter (ISC) 2 and is a solutions engineer at RSA.