Passkey Coming to Chrome Stable

Posted on Wednesday, Dec 14, 2022 by Ned Bellavance

Featured in this episode of Chaos Lever

Passwords suck. We all know this. And we also know that password managers are a kludge for a flawed system. There are definitely better ways to verify a person’s identity on a per-site basis without having to deal with dodgy web forms intended for frail human fingers and memories.

The FIDO alliance has been working to replace passwords with passkeys since its inception in 2012. It’s frankly pathetic that it has taken the industry 10 years to create a specification and have it adopted into a major browser. But I digress. Version 108 of the Chrome browser will have full support for passkeys on Windows 11, macOS, and Android. If you were already using Safari, you’ve had support for FIDO and using FaceID for login for a while now.

Passkeys differ from a password in multiple ways. First, there’s no field for you to awkwardly type in a long string of characters, passkeys use the WebAuthn standard to request and receive authentication information. Secondly, the passkey is unique to each website, meaning that if the site is hacked and passkeys exposed, they cannot be used on other sites. They also have to be of a certain length, preventing users from selecting shorter, less secure strings.

Passkeys also require the presence of a physical device to complete the authentication, meaning that the site is storing the equivalent of your public key and not the private key. The private key is stored locally on your OS or browser’s built-in keystore, and it uses the physical device as a proximity check. So even if someone gains access to your browser with the private keys, they still can’t use them unless they have the proximity device. And if they have that, you’ve got bigger problems than your Grindr login.

There is a lengthy list of caveats on supported operating systems and devices, so check the linked Register article for more info.