The Password is Dead: Here comes the Passkey
 

Google this week enabled passkey support for everyone. Passkeys are touted as the password killer, at long last. Your phone generates a public/private keypair, and all you need to do is use that to log in without a password. It pretty much eliminates phishing as a threat since you need your phone to log in, and your phone needs to be physically close to the device you're trying to log in on (they communicate via Bluetooth).

I have tried it in a few ways and it's pretty slick. To log in on my computer, my computer shows a QR code that I scan with my phone, do FaceID, and I'm logged in. My password manager, 1Password, has announced they will start supporting cross-platform passkeys next month.

Here's an article: https://arstechnica.com/information-...rds-heres-why/

Count me as a huge fan of the password-less log in world and, in my view, ought to be the future of how we log into our sensitive accounts.

Just need companies and websites to start supporting it now... but that will cost them money, and for what benefit?

I think Google throwing its weight behind it will do a lot for that.

Better security is a plus for any company.

Eh... I hate 2-factor, especially phone/e-mail. The current setups with password-only logins, especially the useless C0mp1eX! requirements, needs help, but I'm not so sure this is the right solution. I still have multiple users in my office that can't handle SMS 2-factor authentication (seriously).

Smartphones haven't been reliable for me. Apple, Samsung, Motorola, all have been unstable for me. Overheating, locking up, spontaneously rebooting, and battery issues. Add in all of the things which have to go right for this to work and no thanks. Bluetooth's gotten better over the years but still isn't as seamless as it should be.

One of my condos replaced our 24/7 security guards with a "cloud" entry system where they want you to download a Chinese app to your phone to gain entry. Useless thing. For it to work: 1) There has to be power, 2) Their Comcast connection and router have to be working, 3) the gate system keypad/controller have to be working, 4) the gate system's cloud servers have to be working, 5) the larger internet has to be working, 6) the cell connection has to be working, 7) my phone has to be working, 8) the app has to be running and working. No thanks, I'll just enter the 5 digit code or copy of the barcode I made and go on my merry way.

I don't have a problem with it existing, but I don't see this as THE solution. It's just going to change the bad actors' targets from desktops to phones and Bluetooth. Anyone have a FlipperZero? After all, most people keep their entire lives on their phones, passwords, accounts, and all. Read up on the recent YouTube cookie / session hacks and it's not a stretch to port those type of hacks to infiltrate this type of system. At my office we use token (public/private key deal) + password, which is better than a password alone, but is far from infallible.

Given Google's extensive history of coming up with something and then getting bored and discontinuing it doesn't rub developers and programmers well. I personally spent many hours chasing my Google's ever-changing APIs before finally giving up.

Apple have been supporting it for some time, and it's not really got any sort of traction as yet.

Microsoft is also on the passkey train.

this is actually my first time hearing about google passkeys and haven't seen any other articles referring to it. It'll probably take a while before smaller websites start switching over since the implementation will take time and if its even worth the effort. I can see this be useful for the bigger companies that already require 2fa anyway.

Kayak has supported it for a while now.

I use Google passkeys to log on to Google all the time. It works well.