Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Google Privacy The Internet

Google Passkeys Can Now Sync Across Devices On Multiple Platforms (engadget.com) 19

Posted by BeauHD from the widely-supported dept.
Google is updating its Password Manager to allow users to sync passkeys across multiple devices, including Windows, macOS, Linux, and Android, with iOS and ChromeOS support coming soon. Engadget reports: Once saved, the passkey automatically syncs across other devices using Google Password Manager. The company says this data is end-to-end encrypted, so it'll be pretty tough for someone to go in and steal credentials. [...] Today's update also brings another layer of security to passkeys on Google Password Manager. The company has introduced a six-digit PIN that will be required when using passkeys on a new device. This would likely stop nefarious actors from logging into an account even if they've somehow gotten ahold of the digital credentials. Just don't leave the PIN number laying on a sheet of paper directly next to the computer.

Google Passkeys Can Now Sync Across Devices On Multiple Platforms More | Reply

Google Passkeys Can Now Sync Across Devices On Multiple Platforms

Comments Filter:

  • So what's the advantage of passkeys again? (Score:3)

    by 93 Escort Wagon ( 326346 ) on Thursday September 19, 2024 @02:22PM (#64800341)

    I thought the whole argument in favor of passkeys was "the secret never leaves your device". If you're synching your passkeys across devices, what's the security advantage to this?

    It sure seems to me that it's quickly become just a password that's managed by someone else instead of you... and without 2FA, to boot.

    • No, that was the original FIDO philosophy. A big reason for passkeys was syncing, to a large extent forced by Apple I assume.

      In the Apple ecosystem the passkeys are protected from OS level exploits. You can have full kernel level access and it won't give you the passkeys. I doubt Google can give that guarantuee with just TPMs.

      • Re: (Score:2)

        by unrtst ( 777550 )

        From: https://en.wikipedia.org/wiki/... [wikipedia.org]

        * No Server-Side Credential Storage: The private part of a credential is never stored on a server

        Syncing the private key to multiple devices means the private key is getting passed around on the network and almost certainly stored by Google.

        • Google can arbitrarily push an update to steal all your passkeys regardless.

          You have to trust google, but you don't have to trust the servers of other companies to protect the private part of the passkey.

    • If it's not customer friendly in some way, people won't use it. The security advantage of doing this is that it's still an improvement over today's options, which are all more friendly with password managers and authenticator apps that sync across devices.

      • Re: (Score:2)

        by Rujiel ( 1632063 )

        "If it's not customer friendly in some way, people won't use it."

        Every huge tech company dragging its customers kicking and screaming into using 2FA over the last few years would probably share my disagreement with that point.

        • If you give people no other option, then they're forced to use it. That said, many vendors offer a variety of MFA options these days, so people choose based on what meets their cross-section of security and convenience.

    • Re: (Score:2)

      by AmiMoJo ( 196126 )

      No, the argument was that the secret never gets stored on the server.

      With a password, even if it's hashed it can be recovered with a dictionary attack or just brute force. And that's assuming they did the hashing properly - better to just remove the possibility entirely.

      Passkeys only require a public key to be stored.

      Another advantage is that it eliminates password rules and the possibility of them being weak.

  • Stealing credentials (Score:4, Insightful)

    by sunderland56 ( 621843 ) on Thursday September 19, 2024 @02:30PM (#64800355)

    >> "it'll be pretty tough for someone to go in and steal credentials"

    Unless you work for Google.

    And, Google has not proven to be trustworthy with my personal information.

    • I'm not certain if that's mathematically true. I am certain that the vast majority of Google employees will not have this access.

    • Re: (Score:2)

      by AmiMoJo ( 196126 )

      Chrome has had password sync since the start. So far no examples of them being stolen.

      You can also set your own password for them, and again no examples of that being stolen.

      You can of course use your own sync server, or just not enable it.

      Mozilla has a similar feature in Firefox. Most browsers do.

  • All the existing secure domains except Apple's don't seem designed for syncing. Can they truly protect passkeys from OS level root exploits this way? I think not.

  • I'll absolutely adopt this google product, right after they resurrect google reader. Sorry Google, fool me once shame on you, Fool me 296 times, shame on me (https://killedbygoogle.com/).
    • Fucking hell, Google, you killed chromecast?!? https://www.theverge.com/2024/8/6/24214471/google-chromecast-line-discontinued. I feel like I need to stud that page every other day to figure out which of my devices/services will be nerfed.
  • Passkeys solve the problem of someone phishing a user into giving them their password. Great. These potentially solve for 36% of data breaches as of 2023. However, Google and Apple want to make the device you're logging in from the same device as the passkey. They also don't allow an admin to turn passkeys off as a factor from the accounts admin console. This means that a thief who manages to grab an unlocked phone or a laptop from an unwitting mark has her device and entire login. Appreciating that this li

    • You can still demand a device bound passkey, but how is it actually a solution to the described threat? When they are logged in, they are logged in.

      As for the cross service persistence of the login, can't you just set user verification required with webauthn? Then they will need to re-enter pin/biometric for the new login.

  • I'm sure having a special password that we never use, except when adding new devices, will solve this password... I mean passkey, security problem.

    And that having easy, effective visibility into where our information exists would be too hard for them to implement. That warning users about new devices connecting to sensitive personal data is impossible to do effectively.

Slashdot Top Deals

A sine curve goes off to infinity, or at least the end of the blackboard. -- Prof. Steiner

Close