Passwords are probably not as secure as we use to think. Google services support passkeys on Android devices and maybe you are already using it. Passkey is a passwordless authentication which is often referred to by the terms such as FIDO or WebAuthn. FIDO2 replaces passwords when logging in to online services. The acronym stands for Fast IDentity Online. It is a so-called strong authentication because the key is bound to a piece of hardware, which is a security chip in the PC, smartphone or security token. Passkeys are an extension of the FIDO2 standard and are intended to make it easier to use by not having to pair every device with all user accounts. The keys are no longer tied to a single device but are synchronized via the cloud in encrypted form. Apple, Google, and Microsoft are promoting the process.
FIDO2 is resistant to phishing because the domain is included in the calculation of the key.
How a Passkey Works and the Standards
The passkey system is based on asymmetric encryption. To log in to an online service, the service sends a challenge (question) to the PC. The user signs the challenge with his/her private key and receives a response, which he/she sends back to the service. The latter can now use the public key to check the answer for correctness, but cannot calculate it. Also, the private key never leaves the security chip.
During setup, the server initially sends a request. The FIDO2 key now generates a public and a private key from a secret key and the server address. The public key is transmitted to the server, which stores it and can thus uniquely identify the FIDO2 key in the future. In this way, the FIDO2 key can identify itself with an individual key for each FIDO2-capable server without the respective server (operator) being able to conclude other log in options for other servers with the same FIDO2 key. To protect against loss of the FIDO2 key, it can also be secured biometrically or with a password (called PIN here).
FIDO2 consists of the W3C Web Authentication Standard (WebAuthn) and the Client to Authenticator Protocol (CTAP) of the FIDO Alliance. FIDO2 is based on previous work by the FIDO Alliance, namely the Universal 2nd Factor (U2F) authentication standard. With the release of FIDO2, U2F was renamed CTAP1. Taken together, WebAuthn and the corresponding CTAP of the FIDO Alliance specify a standard authentication protocol.
Which Services Support Passkey
Apple, DocuSign, Google, Kayak, Mercari, NTT Docomo, PayPal, Shopify to name a few. You can read their documentation:
Samsung One UI 6.0 could bring passkeys to apps. Samsung Galaxy smartphones will get Android 14 with One UI 6.0 upgrade from the end of 2023.