Google Chrome Gains Support for Passkeys, Making it Easier to Log Into Websites and More

[MacRumors]

Google Chrome has announced it has gained support for passkeys, a new industry-wide standard with the hope of replacing passwords by making it easier and safer to log into websites and apps.

With passkeys, users can authenticate and log into websites using their iPhone or Android devices, replacing the need for a password. On newer versions of iOS and Android, users visiting websites that support passkeys can use biometric authentication on a trusted device to confirm their identity. Writing in a blog post, Google said it was adding passkey support to Chrome, which will let users scan a QR code on their Android or iPhone device to log in. Passkey support is also coming to Chrome on Android.

On a desktop device you can also choose to use a passkey from your nearby mobile device and, since passkeys are built on industry standards, you can use either an Android or iOS device. A passkey doesn't leave your mobile device when signing in like this. Only a securely generated code is exchanged with the site so, unlike a password, there's nothing that could be leaked.

A number of other companies and apps have introduced or announced upcoming support for passkeys, including 1Password, PayPal, Microsoft, eBay, and more. Passkey support in Google Chrome is available now with the latest update. To learn more about passkeys, check out our explainer.

Article Link: Google Chrome Gains Support for Passkeys, Making it Easier to Log Into Websites and More

 

[beanbaguk]

If this becomes a standard, 1Password could see a massive decline in users…

 

[Danfango]

More parties to rely on at an authentication boundary is not necessarily a better thing. You are at the mercy of everyone one of them.

I will continue to use MacPass and keep everything in a domain I fully control.

 

[meetajhu]

If this becomes a standard, 1Password could see a massive decline in users…

1Password does more than just passwords.

 

[0111587]

Okay, just give Google all your passwords...

 

[Will Co]

Okay, just give Google all your passwords...

That's not the way it works. In fact it's the total opposite of the way it works. Maybe have a look at how the Passkeys standard works? There's an explainer link in the main article.

 

[Will Co]

More parties to rely on at an authentication boundary is not necessarily a better thing. You are at the mercy of everyone one of them.

I will continue to use MacPass and keep everything in a domain I fully control.

I don't understand this comment. For most people, Passkeys won't increase the number of parties involved in the authentication process. Assuming of course, that most people, like you seem to do, use a tool to store their passwords. With Passkeys, what's being transferred between authenticatee and authenticator is different (not a password) but other than that, the process is very similar. A "secret" held on your client (probably using a software tool or the built-in key-chain) is used to authenticate with the target website.

 

[0924487]

More parties to rely on at an authentication boundary is not necessarily a better thing. You are at the mercy of everyone one of them.

I will continue to use MacPass and keep everything in a domain I fully control.

It’s just asymmetric key cryptography. There is no third party other than your key storage provider, let it be your trusted Apple devices’ Secure Enclave or 1Password vault or Google‘s vault or multiple vaults.

Its similar to GPG.

 

[daabido]

1Password does more than just passwords.

Yeah, people like to say that, but I bet 99% of the user base does just that.

 

[GoodOne]

Bring FaceID to Macs and Apple Displays already!

 

[Danfango]

It’s just asymmetric key cryptography. There is no third party other than your key storage provider, let it be your trusted Apple devices’ Secure Enclave or 1Password vault or Google‘s vault or multiple vaults.

Its similar to GPG.

Yes that's the problem. Your vault is most likely to be synced with iCloud which means the SPOF is iCloud as always.

 

[MacBH928]

I do not get passkeys.

So lets assume I travel to india, buy a new phone, now I want to log in to my Outlook account. I used to login with a password. How does it work with passkeys?

 

[dabi]

I hope passkeys remain optional forever. It sounds like a system that requires having a mobile device on you at all times, I'd hate to keep unlocking my phone just to log in to a website on the desktop. Having a password manager is so much simpler.

 

[ebika]

Has anyone seen any of the big sites out there supporting Passkeys/WebAthn yet? I’ve yet to come across one in the wild. I saw articles that PayPal was starting to roll it out in October, but it hasn’t shown up for me as an option yet.

 

[Anaxarxes]

I do not get passkeys.

So lets assume I travel to india, buy a new phone, now I want to log in to my Outlook account. I used to login with a password. How does it work with passkeys?

https://developer.apple.com/videos/play/wwdc2022/10092/

start at minute marker 5:00

 

[Leon Ze Professional]

I missed the original article back in August regarding Pass Keys. Thanks for the explainer.

This is interesting tech, good to see it has become available in MacOS Ventura and iOS 16.

Let's hope this gains further traction.

 

[macintologist]

What if you use a desktop Mac with no WebCam and no touch ID on the keyboard?

 

[maryland]

What if you use a desktop Mac with no WebCam and no touch ID on the keyboard?

With Safari, you use your login password to create and use passkeys. Only requirement is Safari 16.1 and having iCloud Keychain enabled.

I don’t use Chrome so I don’t know how it works there

 

[trhoffmann]

With passkeys, users can authenticate and log into websites using their iPhone or Android devices, replacing the need for a password.

What about authenticating with an iPad or Apple Watch? Will I have to use my iPhone to authenticate even when I’m using an iPad to access a web site?

 

[ericwn]

If this becomes a standard, 1Password could see a massive decline in users…

Why exactly? It will continue to offer cross platform management of Passcodes where it were passwords in the future, combined with sharing and plenty of native apps. They’re not sitting in the Fido alliance for no reason.

 

[Mr. Heckles]

If this becomes a standard, 1Password could see a massive decline in users…

I think the opposite. Passkey is limited in a lot of ways.

By relying on either company to eliminate passwords, you’re effectively locking yourself into their respective platforms.

It will not be easy to switch from Android to iPhone at all and vice versa. It can be done, but it won't be easy at all.

The other issue is sharing Passkeys. My wife and share passwords for our bills, how can you do this with Passkey? You can't unless both are Apple. This again where a password manager will shine. My wife can use the vault we share passwords, we can share Passkeys very easily.

Another issue is when you login into a computer and your Passkey is on your phone. Yes, there will be a QR code, scan with your phone, and log in, but password managers are cross platform. I have my Password Manger on all of my devices, so I can easily log into a website without having my phone with me. 1Password also made a way to log into a computer that isn't yours easily (article below), and I bet Bitwarden and others will follow.

Work Passwords... I read an article about work passwords, how this will be an issue (I wish I kept that article). It's probably not an issue now, because it will take years before Passkey takes off.

Password managers are superior in this way, and just switching/cross platforms alone are worth it.

Here is the article about how 1Password will handle Passkeys (and where I got the quote above). Please note, I bet money Bitwarden and others will do the same, and it's great. They will make it easy to switch Password Managers with Passkeys also.

Passwords aren't going away anytime soon, so password are going to be around for years. Not every wedsbite is going to change overnight to Passkey.

 

[AppleTO]

So if you lose a passkey will you still be able to ‘reset’ your website login using your email?

Without 2FA, many websites/services have stopped using passwords altogether. They just send an email with a code or link. Why? Because if you say your forgot your password, they just send you a email to reset it anyways. Might as well skip the password step altogether. Some even consider email to be a 2FA choice, which makes no sense, as you can just reset your primary authentication over email.

But this means if an attacker gains email access they can reset your password on almost every website.

If you lose a passkey and have to reset a website, how would you prove yourself with 2FA? As soon as you put a phone number as a backup, you are significantly reducing the security.

I don’t get it personally. The general public is generally not that intelligent when it comes to internet security. People are just going to end up locked out of their all accounts and have no idea why.

We use 1Password Enterprise at work and I’m constantly having to recover employee accounts.

 

[Mr. Heckles]

If you lose a passkey and have to reset a website, how would you prove yourself with 2FA? As soon as you put a phone number as a backup, you are significantly reducing the security.

From what I am reading, your phone/devise will prove who you are. Unless someone has your phone, they aren't getting in.

 

[AppleTO]

From what I am reading, your phone/devise will prove who you are. Unless someone has your phone, they aren't getting in.

This is true, but phones can break at any moment (or be lost).

 

[Mr. Heckles]

This is true, but phones can break at any moment (or be lost).

I am not sure, something to look into. With Apple devices, your Passkey will sync to other Apple devices.