Learn passkeys for simpler and safer sign-in
HTML-код
- Опубликовано: 26 июн 2024
- After years of work, we’re finally ready to retire passwords, creating simpler, smoother, and more secure experiences for your users that seamlessly across all the major platforms. This session will detail the benefits of passkeys, how to use them to deliver streamlined authentication flows, and how to evolve your identity stack to embrace this new technology.
Resources:
Sign in with a passkey through form autofill → goo.gle/3MlyD2a
Create a passkey for passwordless logins → goo.gle/3Kcytrf
Sign in your user with Credential Manager → goo.gle/3UpWq3f
Speaker: Eiji Kitamura
Watch more:
Watch all the Technical Sessions from Google I/O 2023 → goo.gle/IO23_sessions
Watch more Web Sessions → goo.gle/IO23_web
All Google I/O 2023 Sessions → goo.gle/IO23_all
Subscribe to Google Chrome Developers → goo.gle/ChromeDevs
#GoogleIO - Наука
Join the conversation in the comments below for a chance to get your questions answered by the Chrome team. 👇👇🏻👇🏿👇🏽 👇🏾👇🏼
FedCM FTW! Thank you !!
It would be nice to skip the page where you press the "Next" confirmation button to ask if you want to log in with the pass key and automatically display the authentication screen. If it's set as the default authentication tool, I think we should make sure to choose an option or fail it.
Good video, thanks.
Thanks
As a developer I am excited about this authentication method build on top of Webauthn. As a - sometimes a bit paranoid - user I fear that I'd have to use the OS or browser vendors credential managers to sync the private keys instead of FOSS and storage of my choosing. I curious about the way this will develop.
The plan is you will be able to choose a password manager of your choice for passkeys starting Android 14.
@@agektmr Sounds great. Thank you.
Hello, thank you for the explanation, but how can one change from two factors authentication, (like Google or Apple) to passkey, or whether any website or app, they must first give way to use passkey?
Could passkeys be the sole method for signing up and logging in, or does it need to rely on a traditional authentication mechanism? And is it still necessary to have the user enter a unique username or email address?
Does this make it possible to create anonymous user authentication? It seems this removes the need for a unique identifier such as email addresses for users to log in, in that case there is no need to know the identity of the user. Really cool for privacy-first apps!
I don't know what you exactly mean by anonymous user authentication, but creating an anonymous account is totally possible with a passkey. Though, it's already possible with a password too. It's just a matter of the service's preference to ask the user's email address.
As I understand there are Roaming authenticators (Phone, USB, etc) and Platform authenticators (Laptop, Desktop). When I experimented last there was issue if user creates account on website using a platform authenticator which is likely more convenient, then later they try login to the account from their phone, but they can't since it is a different device.
From what I understood in the video, FIDO's solution to mitigate this is to allow syncing credentials across devices. Can you explain more about this works? It was my understanding these credentials don't leave the TPM (Trusted Platform Module) and I didn't understand how they could be shared. It seems like the boundary between Roaming and Platform is less clear now, and perhaps doesn't matter. Although the synchronization may be extra level of complexity for users.
A passkey created on a device is actually a private key and some metadata, and it will be synchronized across devices through the credential provider - for Google's case, Google Password Manager. It's encrypted on the device and needs to be decrypted on the sync'ed device. To learn how it works more, please read developers.google.com/identity/passkeys/supported-environments or passkeys.dev/device-support/
whats the word on using a passkey on a shared account. for example i shared a profile with 2 others can I safely add a passkey that only I will use?
01:32 "as a developer you only store a public key instead of a password" - why would you as a developer store a password instead of password hash?
What happens when the user deletes created passkey? How can I bind this user with an account in my service?
Can I use a passkey to sign into my Chromebook?
You can use your phone to sign in on Chromebook, now. In the future, you'll be available to use the device's biometric sensor to sign in to websites!
Is there a solution for situtations when the phone is stolen or broken that also non-technical users can understand?
Yes, passkeys created on Android are backed up and synced with Android devices that are signed in to the same Google Account, in the same way as passwords are backed up to the password manager. That means user's passkeys go with them when they replace their devices. To sign into apps on a new phone, all the user needs to do is to verify themselves with their existing device's screen lock. developers.google.com/identity/passkeys/faq#what_happens_if_a_user_loses_their_device
that means the user still needs to login using pass + 2nd factor to login to their new devices... which means the android (google) itself can NOT be only supported by passkey.@@agektmr
What the differences with normal webauthn?
To create and authenticate with passkeys, you use WebAuthn and there's nothing different from web developer perspective.
For example, passkey is on in my google account and my phone was stolen and then I bought myself a new phone. My question is how do I log in with the passkey on the new phone?
You can use your password and the second factor to sign in to your Google account and recover your passkeys using the previous device's PIN.
@@agektmrIn the end, you still have to use a password. So how can we say Passkey will replace password? The bad guy will pretend that the phone is lost or broken to be able to enter the password. So how can we say Passkey is more secure than password?
So far a great presentation, and I expect the presenter is likely a great engineer at Google. So props to him. But for a presentation like this, would it not make sense to have someone who is more fluent - or rather, has less of a foreign accent - to actually present it? No disrespect to anyone intended, I just wonder at the idea.
I suppose the difficulty here is the variety in the audience. Is this globally targeted? Does this accent make it easier to understand for a large group of people, just a different group to the one I am a part of? How many variations would it make sense to publish? A couple for each major language .. perhaps a dozen in english, for those with different cultural backgrounds and strong accents?