Passkeys were standardized in about 2018, so they are not new. Google explains them here, by a woman with a funny accent. I will be glad when I can substitute an AI voice.
Google has a online demo on that page, but the demo did not work on my Windows 11 machine.
The passkeys are essentially public key cryptography, where the private key is bound to a device like a phone, and can only be used to sign a challenge message from a particular server (like google.com or ebay.com), and for a particular username. When done right, the user does not have to bother with usernames or passwords, and gets a more secure login.
It does have the advantage that I will not be tricked into logging into a phishing site, and no one can intercept my password. That makes passkeys worthwhile to me.
But it is very confusing on Google. It is hard to tell what Google requires for a login. It can keep you logged in for months, so you think you are safe, but then suddenly ask for an extra factor. Instead of letting you choose among the factors you have configured, it asks what it thinks will be the most secure. Last week it asked me for a bluetooth token that I set up five years ago, and never got to work.
I can log into my Gmail account on Firefox with just my passkey, but curiously it does not work on Google Chrome, where I have to supply my username first.
You can put a credential on a usb token, but Google will query the token and decide what it wants to put there. If you have a token with multiple capabilities, it can be impossible to configure it for the capability you want. Google will decide on its own what to put on the token. You might be better off with a ten-year-old token, depending on what you want to do.
It is hard to keep track of the tokens with passkeys, as Google uses generic names like "Windows Hello" and "Security Key", even though it queries the type of computer and token. It does try to distinguish between "devices" and "security keys", without any obvious purpose. Sometimes a passkey is called a security key if it must be used with a password, so it is not really a passkey but a predecessor fido key, but sometimes a usb tokey with a genuine passkey is also called a security key.
Sometimes Google will create a passkey on its own. This is usually okay, but sometimes it creates the passkey under the control of the "Google Password Manager" for some other Google account, and it refuses to tell you what that other account is. It allows your passkey to float around in the cloud, which might be convenient, but it also defeats the purpose of binding a passkey to a device, and makes it nearly impossible to control use of credentials. I had to delete a passkey, because I could not figure out who was using it.
Apple, Microsoft, and many others are going to passkeys. Banks not so much. They are also confusing. I thought that this would have been sorted out five years ago. Maybe it wil take another five years.
Update: I ran into more problems with Google passkeys. If I try to edit my Google Wallet, after being logged into Gmail, then Google wants to confirm my identity. Fair enough. It asks for a "security key" and does not allow any of my other options, such as password, authenticator, SMS, etc. So I supply a usb security key with a passkey. And that is not good enough! It wants one particular passkey, and it will not tell me which. I have to keep guessing until it accepts one.
I don't know how I would pay for something on a trip, as I have no way of knowing what security key Google will ask for.
Part of the point of passkeys is that they are easily created and bound to a device. So I can have one at home, one at the office, one in the safe, one in my luggage, etc. But that assumes that Google is going to accept the one I have, or at least be predictable about what it needs. Most people are probably better off sticking to passwords, until Google and the other big tech companies make passkeys usable.
No comments:
Post a Comment