Google’s Passkeys Are a Step in the Right Direction
Posted by Adam Lowe, Ph.D., Chief Product & Innovation Officer, Arculus on 31st May 2023
The death of the password is one step closer now that Google & Apple have unlocked the realm of passkey authentication for their user base, providing millions of people a greater degree of account protection than mere passwords or code-based two-factor authentication systems.
Passkeys are essentially a cryptographic FIDO2 (Fast Identity Online) key, like an Arculus-powered metal card or a YubiKey device, that is synced across several devices to authenticate users. Google’s service--like those also in development by Microsoft and Apple--is cloud-based and allows users to authenticate by creating passkeys on individual devices that connect with cloud-based servers.
Industry Endorsement and Google's Initiative
And those who are trying to accelerate the adoption of FIDO technology are happy to see Google leading the way. “We’re thrilled with Google’s announcement today as it dramatically moves the needle on passkey adoption due both to Google’s size, and to the breadth of the actual implementation — which essentially enables any Google account holder to use passkeys,” said Andrew Shikiar, executive director of FIDO Alliance, in a statement. “I also think that this implementation will serve as a great example for other service providers and stands to be a tipping point for the accelerated adoption of passkeys.”
While we here at Arculus believe that hardware authentication is the gold standard, we also believe that Google’s move is a net positive--and anything that moves us past the days of username/password login systems is good. Google's move is pushing forward the FIDO ecosystem and the digital key ecosystem, and we fully support this transition.
The Role of Hardware in Security
However, what has to happen hand-in-hand with this rollout of passkeys across industries is establishing ways to secure user accounts. That’s where hardware like Arculus comes in, because generally speaking, most users are not taking the necessary steps to protect their Google or Apple accounts. Not many are using two-factor authentication and even fewer are using more substantive means to back up and protect their accounts. So, if those root accounts aren’t protected properly, deploying passkeys doesn’t really solve the security problem. You need a hardware key.
Imagine your account as a house. If you think of a passkey as a key to your screen door, your hardware key is like a key to your deadbolt. One keeps most people out. The other keeps everyone out.
Arculus: Bridging Convenience and Security
At the end of the day when you need to protect root accounts, you want hardware, and Arculus can be that master key to provision new devices in an ecosystem. It offers that next level of protection, while being convenient and easy to use. It doesn’t get lost in the bottom of your filing cabinet drawer like some other types of hardware keys. You simply pull out your phone and tap your card. It’s just infinitely easier.
You used to have to choose between security and ease, and with Arculus and FIDO, you can have both. Rather than syncing your identity to the cloud, you authenticate with a piece of secure hardware. You control your destiny in your pocket, rather than hope and pray that Google’s and Apple’s clouds are as secure as you need them to be. Things happen.
Consumers are going to demand passwordless security when they begin to experience its increased ease-of-use and enhanced protection. And enterprises are likely to follow, bringing it both in-house and to their customer bases to stay relevant and protect their brands.
Looking Ahead: A Secure Digital Future
Passkeys are a necessary step on the road to increased security for all, and a way to get consumers digital keys that they can understand without having to understand the cryptography underneath. At the end of the day, the underlying imperative remains. User security has to improve. Consumers need a way to sign in securely. I know I would rather hold my passkeys in my pocket–and only my pocket–rather than relying on anyone’s cloud storage. Wouldn’t you rather that root signature come from your pocket than from the cloud?