Google begins prompting users to create passwordless passkeys by default - The next time you sign in to your Google account, you’ll be encouraged to set up a passkey for a faster, more secure login.

  • Want to keep track of this thread?
    Accounts can bookmark posts, watch threads for updates, and jump back to where you stopped reading.
    Create account
Google is making it easier for users to ditch passwords on their Google accounts in favor of passkeys — a fast, secure, and passwordless approach to logins that utilizes the pin, face, or fingerprint authentication built into your devices. Starting today, Google account users will be prompted to create a passkey for their account by default, sparing them from manually hunting through account settings for the setup process.
While the industry-wide goal is to eventually make passkeys the new login standard, Google says that passwords will “still remain part of our lives as we make the pivot.” As such, users can still choose to sign in to their Google account with traditional passwords and can opt out of using passkeys entirely by disabling the “skip password when possible” option for their account.

What are passkeys?

Passkeys can replace traditional passwords with your device’s own authentication methods. That way, you can sign in to Gmail, PayPal, or iCloud just by activating Face ID on your iPhone, your Android phone’s fingerprint sensor, or with Windows Hello on a PC.
Built on WebAuthn (or Web Authentication) tech, two different keys are generated when you create a passkey: one stored by the website or service where your account is and a private key stored on the device you use to verify your identity.

Of course, if passkeys are stored on your device, what happens if it gets broken or lost? Since passkeys work across multiple devices, you may have a backup available. Many services that support passkeys will also reauthenticate to your phone number or email address or to a hardware security key if you have one.

Apple’s and Google’s password vaults already support passkeys, and so do password managers like 1Password and Dashlane. 1Password has also created an online directory listing services that allow users to sign in using a passkey.

Google has introduced passkey support to a range of its products over the last year, including Workspace and Cloud accounts and its Chrome web browser. Many leading websites and apps also support passkeys. You can find more information about where they can currently be used via this directory created by the 1Password password management service.

https://www.theverge.com/2023/10/10...ey-setup-prompt-default-passwordless-security
 
Click to expand...
Even IF this goes perfectly right, it is going to be a HUGE security threat, risking your entire identity. Secondly.. It is likely to be, or at least be one step away from the end of anonymity online. All depending on how it's implemented. Since it is one step away from single sign-on/universal accounts. And once this shit is forced on as the default (see cell phone numbers for email and social media accounts) it will be the end of alt, backup or new accounts. Even leaving identity "universal account' side aside, all your accounts will be tied on a fundamental level to each other. So if you have a SM account that requires your real identity, that's now in the web/chain of identities all linked in the same way. As soon as it gets compromised.. You are fucked, and depending on how it was implemented, all accounts tied to your equipment and the equipment itself is too.

Once they start forcing face/fingerprints as well.. All bets are off and we are completely fucked.

The real reason for this is tracking and ads.. In that it enables the breaking of a fundamental security/privacy principle of modern tech. Unique fingerprinting of software or hardware that is front facing and network available.
 
AgendaPoster said:
In theory I think you're supposed to get a notification if there are suspicious log in attempts, let's say from a different location than your usual one (might not work well if you travel all the time) or from a different device.
Click to expand...
Fuck this shit. There should be one password for logins and a master password for account actions and all faggy heuristics treated as breach of contract. They shouldn't even be tracking location.

I got locked out of a Yandex account once. I was paying taxes and moving registrars at the time and those utter cockmonglers nearly caused my longtime dictionary-word domain to lapse. I've had the same external IP for a decade now (but I don't allow much spyware and it triggers their anti-spam captchas every time cos requests look like a robot's without all the spy cookies). I was still logged into the mailbox on my phone and they were sending me emails like "There was a suspicious login attempt, someone put in the correct password and security question, don't worry, you're safe!" There was no button for "that was me you niggers!" I got it restored when they mailed me an ad for paid business email and I wrote back, "I would be interested if I could log in", they got a human to look at my case and I never paid lol.
 
Don't use passwords. Use passphrases. Incorporate words from at least two languages to double the number of dictionaries to search. If you use sentences, insert at least one unusual grammatical error to make it harder for large language models to hit on your passphrase. Now you've only got about a hundred out of band techniques to worry about.
 
This will make it easier for law enforcement (and smart criminals) to break into targeted accounts even if they are secured with end-to-end encryption. Instead of convincing a target to reveal their password, cops can just unlock their phone with FaceID or a fingerprint and then grab a 2FA code from the same phone.
 
You must log in or register to reply here.
Back
Top Bottom