Google Chrome 108 was released to the stable channel last week. It added support for a new way to sign in to online accounts, passwordless logins, aka Passkeys.
What are Passkeys? Passkeys are a secure login method, that was developed by the
FIDO Alliance and World Wide Web Consortium (W3C), which includes the giants of Silicon Valley like Apple, Google and Microsoft.
What's the need for it? Regular passwords can be phished, leaked, stolen or brute forced if the passphrase is weak. Passkeys sidestep these issues completely, there is nothing to be guessed, leaked or stolen. The Passkeys are stored on the user's device in an encrypted form that can only be accessed with biometric data such as FaceID, fingerprint ID, Windows Hello, PIN, etc. The Passkey on the user's device is referred to as a private key. This is used in tandem with a public key (username) stored on a website's login system.
If a user has saved their account credentials as a Passkey, and they try to log in to the website that the account belongs to, the server's public key asks the user to provide the Passkey associated with their account. This is done by approving the login, by using the computer or mobile phone's fingerprint scanner, camera (FaceID), or the PIN code used to unlock the screen. The device scans the encrypted Passkey data that is stored locally, and tells the server to approve the login request. In other words, your Passkey never leaves your device. You may sync Passkeys across devices, this depends on the app and OS that you use.
Intrigued by the new security feature? You can start using Passkeys in Chrome on websites that support it. That's the issue, very few sites have adopted the new protocol. This
Passkey directory page (owned by 1Password) has a list of services that support the new protocol, these include PayPal, BestBuy, eBay, Microsoft, NVIDIA, etc.
chromereleases.googleblog.com
