{"id":27494,"date":"2023-05-23T17:31:25","date_gmt":"2023-05-23T15:31:25","guid":{"rendered":"https:\/\/www.sciencefocus.com\/?p=144217"},"modified":"2023-05-23T17:37:09","modified_gmt":"2023-05-23T15:37:09","slug":"google-is-killing-off-the-password-forever-heres-what-could-replace-it","status":"publish","type":"rss_feed","link":"https:\/\/c01.purpledshub.com\/bbcsciencefocus\/rss_feed\/google-is-killing-off-the-password-forever-heres-what-could-replace-it\/","title":{"rendered":"Google is killing off the password forever. Here\u2019s what could replace it"},"content":{"rendered":"

Google\u2019s new passkey software is a biometric replacement for old-fashioned password. Can we finally forget about having to remember what all our passwords are? <\/p>

By Jason Goodyer\n \t\t<\/p>

Published: Tuesday, 23 May 2023 at 12:00 am<\/p>

\n\n

At the start of May, Google announced it was beginning a shift towards using passkeys<\/a> to grant users access to its software. The tech giant describes passkeys as \u201cthe easiest and most secure way to sign into apps and websites\u201d and hails the move as a step towards a \u201cpasswordless future\u201d.<\/p>\n

Sounds good. But what is a passkey and how will it make you and your devices more secure?<\/p>\n

What\u2019s wrong with passwords?<\/h2>\n

The very first digital passwords were invented by an MIT professor in the mid-1960s who needed to give multiple users private access to the same giant computer. Passwords soon became ubiquitous in our computers and it\u2019s easy to see why \u2013 a simple, memorable word is quick and easy to input when you want to gain access to your computer.<\/p>\n

But that\u2019s also the problem with passwords. A simple, memorable word such as \u2018password\u2019 or \u2018123456\u2019 is very easy to guess, and when hackers ask their computers to guess millions of passwords a second, even quite complex words and codes can be broken instantly.<\/p>\n

The best way to thwart this kind of hacking is to use long passwords, as the number of combinations (and difficulty of guessing) increases exponentially with length. For example, \u2018My!_Garden_ShedWith13Daffodils#and17Tulips_Outside\u2019\u00a0is considerably harder to guess than \u2018MyPa55wo2d!xxx\u2019.<\/p>\n

Nevertheless, it\u2019s recommended that you use a different password for every new app, so that if one is exposed by a hacker, none of your others will be at risk. Unfortunately, today this has become infeasible as everything from Netflix to your bank requires a password \u2013 it\u2019s not possible for us to remember hundreds of different codes.<\/p>\n

Our solution? We write the passwords down, often on sticky notes stuck to the monitor or keyboard, or on a pad kept in a nearby desk. Alternatively, we use password manager apps that remember everything for us but provide a one-stop-shop for hackers.<\/p>\n

But it\u2019s not just physical records that make you vulnerable. One of the most common ways for hackers to obtain your passwords is so-called \u2018social engineering\u2019. It might be as simple as a phone call to a company pretending to be a new employee who forgot their password. Or it might be a scammer who pretends to be your bank and asks you to download special software.<\/p>\n

Sometimes \u2018bait\u2019 is left \u2013 a USB drive that looks as though it contains something interesting but actually contains malware that you inadvertently install on your computer. This will then monitor your device and record your passwords and send them to the fraudsters.<\/p>\n

It may even be more brazen: a fraudster who sends a \u2018scareware\u2019 email, claiming they\u2019ve taken over your computer and that they have videos of you that they intend to post publicly unless you give them what they want.<\/p>\n

So passwords are a weak spot. Doesn\u2019t two-factor authentication solve that?<\/h2>\n

To some extent, yes. But two-factor (or multi-factor) authentication (2FA\/MFA) still relies on you remembering the relevant password.<\/p>\n

MFA-enabled devices work by asking you for your password before they use another method of identifying you \u2013 sending a text or email, or asking for a response via a dedicated app. The theory is that even if hackers have your password, they\u2019d still be unable to gain access because they\u2019d need your phone or computer.<\/p>\n

But 2FA is still vulnerable to hackers through various methods. For example, simply resetting a password can sometimes bypass the 2FA, or hackers could \u2018SIM-jack\u2019 your SIM card so that texts go to their device instead of yours.<\/p>\n

So what do the experts recommend?<\/strong><\/h2>\n

Security experts prefer methods that perform authentication of your identity instead of just authenticating your device. This is where biometric passkeys come in. Biometric authentication uses special sensors in your devices to measure features unique to you and uses those as a passkey.<\/p>\n

Your fingerprint, 3D facial dimensions, iris, retina and palm vein can all be used to identify you. And today our smartphones, laptops and tablets are capable of reading fingerprints and faces, so they can perform accurate biometric authentication.<\/p>\n

How do biometric passkeys work?<\/h2>\n

When your device knows it\u2019s really you, then it has to send that approval securely to the application demanding authentication. Passkeys provide that mechanism. They use cryptographic security \u2013 the same kind of system used for Secure Socket Layer (SSL) websites to ensure that data transferred between sender and recipient cannot be intercepted and deciphered.<\/p>\n

Your phone maintains a private cryptographic key stored on the device and releases a public key to the application. This enables your phone to send a private message to the application that can only be read by that application saying: \u201cthe biometric test has been passed\u201d.<\/p>\n

All you needed to do was look at the phone or put your finger on the fingerprint reader.<\/p>\n

And passkeys are better because\u2026<\/h2>\n

Once we have biometrics and passkeys, we no longer need passwords. And this looks like the next stage in the evolution of computer security. Google recently announced that it\u2019s switching from passwords to passkeys, turning off passwords and 2FA altogether for those users who wish to switch.<\/p>\n

It\u2019s a better solution for everyone: no more passwords to remember, no codes sent to your phone that you have to type in. And should your phone be lost or stolen, it\u2019s no problem: the authentication requires your face or your fingerprint. So it won\u2019t work for anyone else.<\/p>\n

Like all changes, this may take some getting used to \u2013 some of us have been using the (same) passwords for a very long time! But adoption is likely to be offered as a choice and given the alternatives, this is a considerable improvement. If you\u2019re offered the option of a passkey with biometric authentication, it\u2019s worth a try.<\/p>\n

Read more about cybersecurity:<\/strong><\/p>\n