Under the title ‘Goodbye passwords, thanks for all the phish(ings)’, Google has announced on its blog that it has activated the possibility for users to access their accounts through the access key system (passkeys), a project in which most of the technology industry is involved, the FIDO alliance, in order to end passwords. These new passwords are more convenient and secure. The system uses a biometric identifier such as a fingerprint or facial scanner, and works by means of two keys: a public one, which is the one stored by the Internet service in which the user identifies himself, and a private key, which never leaves its device.
With the system that Google has begun to apply, if cybercriminals hack into an online service to steal passwords from its users, it will be of no use to them, since they will not be able to have access to the private keys of each one of them. When the device does not have a biometric sensor, as is the case with most desktop computers, a QR code that is scanned with the mobile or a local PIN allows the operation to be carried out. The FIDO Alliance (Fast Online Identity) is an internet industry association that was formed in 2013. Android, Windows, iOS, and MacOS operating systems already support passkeys. If the online pages begin to integrate them, the passwords will begin to disappear.
FIDO
The access keys (or passwords) prevent attacks such as phishing, in which the user is tricked into entering their passwords on a fake website that imitates the bank or another service, or SIM exchange (smishing) through SMS verification . If multiple devices are used, a key can be created for each of them. Some platforms make backup copies of the passkeys and synchronize them with other devices of the same user. In the case of the iPhone, if other Apple devices have logged in to the same iCloud account, the access key will also be available on these.
To open a session on a new device, you must select the option “use a password from another device”, which does not automatically transfer the passkey from this to the new device, but uses the screen lock and the proximity of the phone to approve a start single session. If the device allows you to store your own secure access key, this possibility opens up.
In September, Apple introduced support for the FIDO system with iOS 16, so that all iPhones with the updated operating system can serve as login tools for any website or app that has it enabled. PayPal has supported access keys on iOS since October. Other companies have followed. The end of passwords is a little closer.