Hot Take Google makes passkeys the default sign-in method for all users

[silversurfer]

Google has announced that passkeys, touted by the tech giant as the “beginning of the end” for passwords, are becoming the default sign-in method for all users.

On Tuesday, the company took a step closer toward killing off the password with the announcement that it’s making passkeys the default authentication method for all Google Account holders.

“This means, next time you sign in to your Google Account, you’ll start seeing prompts to create and use passkeys, simplifying your future sign-ins,” said Google product managers Christiaan Brand and Sriram Karra. “Our goal is the same as it has always been, giving you technology that is secure by default, so that you have the strongest security but without the burden.”

Google says that since the launch of passkeys for Google accounts, 64% of users have said they find passkeys easier to use compared to traditional methods like passwords and two-step verification.

Google says that it encourages all users to start using passkeys as their primary sign-in option. TechCrunch recommends this too, as while setting up passkeys might seem like a chore, it’s an investment that can save you from a potential security disaster down the road. It could save you valuable time, too, as Google claims that logging in via passkeys is 40% faster than using a password.

Source: Google makes passkeys the default sign-in method for all users | TechCrunch

Passwordless by default: Make the switch to passkeys

Google is making it even easier to get started with passkeys by offering the ability to set them up for all users — by default.

blog.google

 

[Ink]

SHARING FOR EDUCATIONAL REASONS:

• Make their own decisions when it comes to Passkeys.
• Bottomline: Passkeys effectively replace the old 'password and 2FA' combination.

Do I need 2FA with my passkey?​

No, because 2FA is built into passkeys.

Source: Bitwarden FAQ

AI: Replace 2nd Factor Authentication with a Passkey?​

Yes, a passkey can replace 2nd factor authentication (2FA). In fact, passkeys are designed to be more secure and convenient than traditional 2FA methods.

Here is a comparison of passkeys and 2FA:

Feature	Passkey	2FA
Passwordless	Yes	No
Multi-device	Yes	Yes
Phishing-resistant	Yes	Yes
Convenient	Yes	Yes, but less convenient than passkeys
Secure	More secure	Secure

To use a passkey, you first need to create one on your device. This typically involves providing your biometric information, such as your fingerprint or face scan. Once you have created a passkey, you can use it to sign in to websites and apps that support passkeys.

To sign in with a passkey, you simply need to select the passkey option and then authenticate with your biometric information. There is no need to enter a password or receive a code from another device.

Passkeys are still relatively new, but they are gaining support from major tech companies such as Apple, Google, and Microsoft. As passkeys become more widely supported, they are likely to become the preferred authentication method for many users.

Source: Bard.

Spoiler: AI: Should you use a passkey or 2FA?

If you are looking for the most secure and convenient authentication method, then you should use a passkey. However, if you are not yet able to use passkeys, then you should still use 2FA. It is better to use 2FA than no additional authentication at all.

If you are able to use both passkeys and 2FA, then I recommend using both. This will provide you with an extra layer of security.

Here are some additional things to consider when choosing between a passkey and 2FA:

• Device support: Passkeys are still relatively new, so not all devices support them yet. If you are not sure whether your device supports passkeys, you can check with the manufacturer.
• Account support: Not all websites and apps support passkeys yet. If you want to use a passkey to sign in to a particular website or app, you need to make sure that it supports passkeys.
• Personal preference: Some people prefer the convenience of passkeys, while others prefer the security of 2FA. Ultimately, the best authentication method for you is the one that you feel most comfortable using.

Source: Bard.

Spoiler: AI: Should I use Google OR Bitwarden for Passkeys?

Whether you should use Google or Bitwarden for passkeys depends on your individual needs and preferences. Here is a comparison of the two options:

Google

• Pros:
  • Google is a well-known and trusted company with a good track record of security.
  • Google is one of the first companies to implement passkeys, so it has a lot of experience with the technology.
  • Google's passkey manager is integrated with Chrome, which makes it easy to use.
• Cons:
  • Google is a large company that collects a lot of data about its users. Some people may be concerned about privacy implications of using Google's passkey manager.
  • Google's passkey manager is currently only available on Chrome and Android.

Bitwarden

• Pros:
  • Bitwarden is an open-source password manager with a strong focus on privacy.
  • Bitwarden supports passkeys on a variety of platforms, including Chrome, Firefox, Edge, Safari, iOS, Android, and Linux.
  • Bitwarden is self-hosted, which means that you have complete control over your data.
• Cons:
  • Bitwarden is not as well-known as Google, so it may not have as much experience with passkeys.
  • Bitwarden's passkey manager is not as integrated with Chrome as Google's passkey manager.

Ultimately, the best way to decide which passkey manager to use is to try both of them out and see which one you prefer.

If you are concerned about privacy, then Bitwarden may be a better option for you. If you are looking for a passkey manager that is easy to use and integrated with Chrome, then Google's passkey manager may be a better option for you.

It is also important to note that both Google and Bitwarden are still developing their passkey managers, so there may be some features that are not yet available.

Source: Bard.

Spoiler: AI: Should I use 1Password OR Bitwarden for Passkeys?

Whether you should use 1Password or Bitwarden for passkeys depends on your individual needs and preferences. Here is a comparison of the two options:

1Password

• Pros:
  • 1Password is a well-known and trusted password manager with a good track record of security.
  • 1Password supports passkeys on a variety of platforms, including Chrome, Firefox, Edge, Safari, iOS, Android, and Linux.
  • 1Password has a user-friendly interface and a wide range of features, including password generation, password sharing, and travel mode.
• Cons:
  • 1Password is more expensive than Bitwarden.
  • 1Password is not open source.

Bitwarden

• Pros:
  • Bitwarden is an open-source password manager with a strong focus on privacy.
  • Bitwarden supports passkeys on a variety of platforms, including Chrome, Firefox, Edge, Safari, iOS, Android, and Linux.
  • Bitwarden is self-hosted, which means that you have complete control over your data.
  • Bitwarden is more affordable than 1Password.
• Cons:
  • Bitwarden is not as well-known as 1Password.
  • Bitwarden's user interface may not be as user-friendly as 1Password's user interface.

Ultimately, the best way to decide which passkey manager to use is to try both of them out and see which one you prefer.

Here are some additional things to consider when choosing a passkey manager:

• Security: Both 1Password and Bitwarden are highly secure password managers. However, 1Password has a slight edge in terms of security features. For example, 1Password offers a Secret Key feature, which adds an extra layer of security to your account.
• Features: Both 1Password and Bitwarden offer a wide range of features, including password generation, password sharing, and travel mode. However, 1Password has a few additional features, such as Watchtower and 1Password X. Watchtower monitors your passwords for breaches and weak passwords. 1Password X is a browser extension that makes it easy to fill in passwords and generate new passwords.
• Price: Bitwarden is more affordable than 1Password. However, both password managers offer free plans with basic features.
• Privacy: Bitwarden is an open-source password manager, while 1Password is a closed-source password manager. This means that Bitwarden's code is transparent and can be audited by anyone. 1Password's code is not transparent and cannot be audited by anyone.

If you are looking for the most secure passkey manager with the most features, then 1Password is the better option. However, if you are looking for a more affordable passkey manager with a strong focus on privacy, then Bitwarden is the better option.

It is also important to note that both 1Password and Bitwarden are still developing their passkey managers, so there may be some features that are not yet available.

Source: Bard.

Edit: Strikethrough inaccurate information.

 

[Oldie1950]

Fingerprint scanning doesn't work for me because I only have very weak fingerprints. So the only biometric feature left is the face scan. Does Face Scan work with every camera? Or does the camera have to work in the infrared range like with Windows Hello?

 

[Ink]

Fingerprint scanning doesn't work for me because I only have very weak fingerprints. So the only biometric feature left is the face scan. Does Face Scan work with every camera? Or does the camera have to work in the infrared range like with Windows Hello?

No, Facial Recognition requires certain hardware elements to work with Windows Hello.

Technical spec: Windows Hello biometric requirements

Windows Hello

requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key.

Source: Windows 11 Specs and System Requirements | Microsoft

 

[TairikuOkami]

Hackers will be thrilled, all they have to do is to take control of the device, even remotely, instead of dealing with the bothersome 2FA and as a bonus, you will get less privacy. Google wins.

“Our goal is the same as it has always been, giving you technology that is secure by default, so that you have the strongest security but without the burden.”

Yeah, like simplified, thus useless UAC. Windows Hello works the same way, it scares me how easily it bypasses all MFA without any verification, it is the device, it is 100% you. Regards MS.

 

[simmerskool]

Everytime I think I understand passkeys (& perhaps I do in theory) I read something that seems not to "add-up." Eg the Bitwarden link posted above seems to have good FAQ and says: "Similarly, Bitwarden users will be able to access their Bitwarden accounts with a passkey instead of their master password...Coming fall 2023, users will be able to use a passkey to access their accounts without a master password." I just logged into my Bitwarden account, and I find no option about passkeys. It has been Fall for nearly 3 weeks. So I guess "will be able" means not available yet, but BW is posting FAQ about a system or feature they have not yet made available. Thread starts out about Google passkeys -- well and good, Google gave me the option of creating a passkey some weeks ago which I did. And Bitwarden is explaining passkeys but seems not to be offering them yet. It irks me that Bitwarden is an "authority" about passkeys but is not yet offering them. Will BW implementation of passkeys work as they claim in the FAQ? Is this only for BW Business Plans? I see no publication date on FAQ. Irked I guess because I spent the time to read the FAQ in detail, and only after the fact discover this feature is not available, or so it seems. Did I miss something? (end of crabby day rant)

 

[Jonny Quest]

@Ink thank you for the incredibly informative post. I use 1Password, so I will be reading your post tonight after work. But for me, not all my devices support Biometrics, and the fingerprint option has never been consistent on the devices it does support. So it would be a PIN, which I still need to figure out how my strong password and 2FA aren't as good as a "passkey"? I need to read and understand more about the theory of it. Remember the threads where we were able to insert our passwords into the website it would take 500 years to 1000+ to be broken. So for now, at least until tonight and I read about it more and do more research, I agree with this from the "Should you use a passkey or 2FA" spoiler:

• Personal preference: Some people prefer the convenience of passkeys, while others prefer the security of 2FA. Ultimately, the best authentication method for you is the one that you feel most comfortable using.

edit:sp and word edits

 

[nicolaasjan]

I hope this does not become mandatory in the future...

It seems that my Linux desktop with Firefox does not support this at all:
Sign in with a passkey instead of a password - Google Account Help :

Check what you need to create a passkey​

You can create passkeys on these devices:

• A laptop or desktop that runs at least Windows 10, macOS Ventura, or ChromeOS 109
• A mobile device that runs at least iOS 16 or Android 9
• A hardware security key that supports the FIDO2 protocol

Your computer or mobile device will also need a supported browser like:

• Chrome 109 or up
• Safari 16 or up
• Edge 109 or up

To create and use a passkey, your device must have the following enabled:

• Screen lock
• Bluetooth
  • If you want to use a passkey on a phone to sign in to another computer

 

[Ink]

Everytime I think
[...]
Irked I guess because I spent the time to read the FAQ in detail, and only after the fact discover this feature is not available, or so it seems. Did I miss something? (end of crabby day rant)

According to their latest September statement, Passkeys are set to launch in October for Bitwarden. Google mid-October, and 1Password late-September (last month). Providing information ahead of time gives users and businesses alike plenty of time to understand the concept of passkeys, and ready their customers to upcoming planned changes.

@Ink thank you for the incredibly informative post. I use 1Password, so I will be reading your post tonight after work. But for me, not all my devices support Biometrics, and the fingerprint option has never been consistent on the devices it does support. So it would be a PIN, which I still need to figure out how my strong password and 2FA aren't as good as a "passkey"? I need to read and understand more about the theory of it. Remember the threads where we were able to insert our passwords into the website it would take 500 years to 1000+ to be broken. So for now, at least until tonight and I read about it more and do more research, I agree with this from the "Should you use a passkey or 2FA" spoiler:

• Personal preference: Some people prefer the convenience of passkeys, while others prefer the security of 2FA. Ultimately, the best authentication method for you is the one that you feel most comfortable using.

edit:sp and word edits

Are you referring to unlocking the 1Password app, logging into 1Password using a Passkey, or using 1Password to store/manage Passkeys for other websites?

 

[Jonny Quest]

Are you referring to unlocking the 1Password app, logging into 1Password using a Passkey, or using 1Password to store/manage Passkeys for other websites?

Thank you Ink. Passkeys for other websites.

I do have a Surface 5 laptop that has the ability, 1Password, to login with Windows Hello, which from my understanding with the laptop's infrared camera scanning is secure. It's just my other PC's where I need to understand how a PIN, in my case, is going to be more secure than my nice password (letters, numbers, CAPs and symbols) I have going on to unlock the desktop app, which then unlocks the browser app (in my case). Let alone for other websites.

 

[codswollip]

So it would be a PIN

... which would be less secure than a complex password (let alone, w/2FA).

Another Google disaster... biometrics... and what happens when your biometric code is compromised? Can you change that? Your life is no longer yours.

 

[ForgottenSeer 103564]

... which would be less secure than a complex password (let alone, w/2FA).

Another Google disaster... biometrics... and what happens when your biometric code is compromised? Can you change that? Your life is no longer yours.

Your looking at this with a mind geared towards understanding tech. They are looking at this with average user eyes. Most average users find password managers complicated and a hassle, they find creating strong passwords difficult to do and remember, and most often use the same password for all sites. This is the majority of users out there. They are trying to create ways to secure the masses that are hassle free and easy to do for the majority. Your biometric data is stored locally and secure enough that we do not read about compromises to that to date.

 

[Jonny Quest]

Your looking at this with a mind geared towards understanding tech. They are looking at this with average user eyes. Most average users find password managers complicated and a hassle, they find creating strong passwords difficult to do and remember, and most often use the same password for all sites. This is the majority of users out there. They are trying to create ways to secure the masses that are hassle free and easy to do for the majority. Your biometric data is stored locally and secure enough that we do not read about compromises to that to date.

That's the only thing I could think of, too. Thanks for helping to confirm that, as I was wondering what I may have been missing with this passkey push.

 

[ashok.silwal]

This move by Google is long overdue! Passwords can be such a pain, and it's good to see them pushing for more secure and user-friendly alternatives like passkeys. Plus, if it's faster and more secure, it's a win-win.

 

[simmerskool]

According to their latest September statement, Passkeys are set to launch in October for Bitwarden.

last time I checked, it IS 12 Oct (original Columbus Day in US)... so for BW it more like the 2d half of Oct...?? Or am I missing something?

 

[Ink]

last time I checked, it IS 12 Oct (original Columbus Day in US)... so for BW it more like the 2d half of Oct...?? Or am I missing something?

And? What's the US got to do with any of it?

The blog post never mentioned any specific date.

Blog Title: Bitwarden to launch passkey management
Posted: May 24, 2023
Editor's note September 5, 2023: Passkey storage in Bitwarden Password Manager will be released in October. Sign in with passkey will come shortly after.

Wayback Machine for May 2023 - https://web.archive.org/web/20230524080003/https://bitwarden.com/blog/bitwarden-passkey-management/

 

[CyberTech]

Thanks for sharing Ink, great information! i was right about that

 

[simmerskool]

yeah but... does this default to passkey also include YouTude login? Wondering?? Because, I usually use chrome for YT, and on this vm, everytime I login to YT it asks for my password, but I manually click try another method, and then it goes to passkey, and I login ok.

 

[TairikuOkami]

It seems that MS follows. I have decided not to use a passkey in MSA, so MS has kindly assigned Windows Hello as a passkey to correct my mistake.