Google Passkeys Can Now Sync Across Devices On Multiple Platforms

Google is updating its Password Manager to allow users to sync passkeys across multiple devices, including Windows, macOS, Linux, and Android, with iOS and ChromeOS support coming soon. Engadget reports: Once saved, the passkey automatically syncs across other devices using Google Password Manager. The company says this data is end-to-end encrypted, so it'll be pretty tough for someone to go in and steal credentials. [...] Today's update also brings another layer of security to passkeys on Google Password Manager. The company has introduced a six-digit PIN that will be required when using passkeys on a new device. This would likely stop nefarious actors from logging into an account even if they've somehow gotten ahold of the digital credentials. Just don't leave the PIN number laying on a sheet of paper directly next to the computer.

So what's the advantage of passkeys again?

[93 Escort Wagon]

I thought the whole argument in favor of passkeys was "the secret never leaves your device". If you're synching your passkeys across devices, what's the security advantage to this?

It sure seems to me that it's quickly become just a password that's managed by someone else instead of you... and without 2FA, to boot.

Re:

[Pinky's Brain]

No, that was the original FIDO philosophy. A big reason for passkeys was syncing, to a large extent forced by Apple I assume.

In the Apple ecosystem the passkeys are protected from OS level exploits. You can have full kernel level access and it won't give you the passkeys. I doubt Google can give that guarantuee with just TPMs.

Re:

[unrtst]

From: https://en.wikipedia.org/wiki/... [wikipedia.org]

* No Server-Side Credential Storage: The private part of a credential is never stored on a server

Syncing the private key to multiple devices means the private key is getting passed around on the network and almost certainly stored by Google.

Re:

[Pinky's Brain]

Google can arbitrarily push an update to steal all your passkeys regardless.

You have to trust google, but you don't have to trust the servers of other companies to protect the private part of the passkey.

Re:

[unrtst]

Google can arbitrarily push an update to steal all your passkeys regardless.

No, they can't. And if they push out an update that I choose to apply that does that, it would, at a minimum, violate the trust agreement, if not be illegal if it was not made clear it would be doing that. For example, Google Authenticator added the ability to backup/sync TOTP keys to the cloud, but it was very clear when that feature was added, and it was opt in.

You have to trust google, ...

No, you don't.

If google doesn't have any of the private key material (it's only on your device), then my device would need to be exploited to obta

Re:

[Pinky's Brain]

You have to trust their security. If they are compromised they can push an update, contracts won't stop that. Regardless if they have your private key they are always part of your root of trust.

It's technically possible to keep all sync material E2EE encrypted on their servers, but it necessitates cumbersome recovery methods with very long recovery key. Even Apple doesn't do that to keep the recovery process somewhat simple, entering a private key (or equivalent, such as bitcoin seed phrase) on a mobile pho

Re:

[unrtst]

You have to trust their security.

I don't know why you're saying this. I don't trust their security, and I make use of products such that I don't need to trust their security.

If they are compromised they can push an update...

How? That can only happen if you have allowed them to push updates. I don't.

Regardless if they have your private key they are always part of your root of trust.

Yeah, that's my point. They should NOT have my private key in any form, and I am not willing to play along with a solution that requires it. Just as I'm not willing to allow someone other than myself to decide when an update is applied to my device, I'm not going to do this either (and certainl

Re:

[tlhIngan]

No, that was the original FIDO philosophy. A big reason for passkeys was syncing, to a large extent forced by Apple I assume.

In the Apple ecosystem the passkeys are protected from OS level exploits. You can have full kernel level access and it won't give you the passkeys. I doubt Google can give that guarantuee with just TPMs.

Well, the problem with 2FA and other things is you often don't have the other thing on you when you need it.

If it's for work, fine, you affix the key to your laptop and there you go, i

Re:

[93 Escort Wagon]

Well, the problem with 2FA and other things is you often don't have the other thing on you when you need it.

"Often"? I can't say that's ever happened to me - even once.

Re:

[Pinky's Brain]

No objection from me, obviously syncing is easier. Regardless if you have your phone with you, if you are working on your laptop you don't want to switch. It's still 2FA, because you still need PIN/biometric as a separate factor from the registered/synced device. There is just some redundancy in the second factor.

Re:

[bhcompy]

If it's not customer friendly in some way, people won't use it. The security advantage of doing this is that it's still an improvement over today's options, which are all more friendly with password managers and authenticator apps that sync across devices.

Re:

[Rujiel]

"If it's not customer friendly in some way, people won't use it."

Every huge tech company dragging its customers kicking and screaming into using 2FA over the last few years would probably share my disagreement with that point.

Re:

[bhcompy]

If you give people no other option, then they're forced to use it. That said, many vendors offer a variety of MFA options these days, so people choose based on what meets their cross-section of security and convenience.

Re:

[AmiMoJo]

No, the argument was that the secret never gets stored on the server.

With a password, even if it's hashed it can be recovered with a dictionary attack or just brute force. And that's assuming they did the hashing properly - better to just remove the possibility entirely.

Passkeys only require a public key to be stored.

Another advantage is that it eliminates password rules and the possibility of them being weak.

Re:

[Grim Leaper]

No, the argument was that the secret never gets stored on the server.

With a password, even if it's hashed it can be recovered with a dictionary attack or just brute force. And that's assuming they did the hashing properly - better to just remove the possibility entirely.

Passkeys only require a public key to be stored.

Another advantage is that it eliminates password rules and the possibility of them being weak.

Thank you for the explanation. But adding a passkey to an account without removing the password just increases the attack surface. So many services keep offering to do that.

Re:

[AmiMoJo]

There is another benefit to PassKeys - instant login, meaning no cookies required. Instead of using cookies to keep you logged in, a site can just verify your PassKey with every page load.

As well as being better for privacy, it also means no cookie theft is possible.

Re: So what's the advantage of passkeys again?

[NewID_of_Ami.One]

Exactly my thoughts. Ever since one of the password managers started offering this feature of syncing FiDo keys, it's become a password generated and known only by your device/app

Stealing credentials

[sunderland56]

>> "it'll be pretty tough for someone to go in and steal credentials"

Unless you work for Google.

And, Google has not proven to be trustworthy with my personal information.

Re: Stealing credentials

[LindleyF]

I'm not certain if that's mathematically true. I am certain that the vast majority of Google employees will not have this access.

Re:

[AmiMoJo]

Chrome has had password sync since the start. So far no examples of them being stolen.

You can also set your own password for them, and again no examples of that being stolen.

You can of course use your own sync server, or just not enable it.

Mozilla has a similar feature in Firefox. Most browsers do.

Re:

[Tony Isaac]

From what I've seen, whenever there's a breach, especially one of this magnitude, *somebody* will claim responsibility for it or brag that they did it. I can't see a scenario where somebody figures out how to compromise Chrome's password manager, without it being big news. That's true even if the hackers are a foreign government, as we have seen with recent hacks of Microsoft's Outlook.com email addresses by the Chinese.

How can they communicate between secure domains?

[Pinky's Brain]

All the existing secure domains except Apple's don't seem designed for syncing. Can they truly protect passkeys from OS level root exploits this way? I think not.

I'll absolutely adopt this google product,

[Bill, Shooter of Bul]

I'll absolutely adopt this google product, right after they resurrect google reader. Sorry Google, fool me once shame on you, Fool me 296 times, shame on me (https://killedbygoogle.com/).

Re:

[Bill, Shooter of Bul]

Fucking hell, Google, you killed chromecast?!? https://www.theverge.com/2024/8/6/24214471/google-chromecast-line-discontinued. I feel like I need to stud that page every other day to figure out which of my devices/services will be nerfed.

For Phishing Non-Enthusiasts Only

[thomasboyles]

Passkeys solve the problem of someone phishing a user into giving them their password. Great. These potentially solve for 36% of data breaches as of 2023. However, Google and Apple want to make the device you're logging in from the same device as the passkey. They also don't allow an admin to turn passkeys off as a factor from the accounts admin console. This means that a thief who manages to grab an unlocked phone or a laptop from an unwitting mark has her device and entire login. Appreciating that this li

Re:

[Pinky's Brain]

You can still demand a device bound passkey, but how is it actually a solution to the described threat? When they are logged in, they are logged in.

As for the cross service persistence of the login, can't you just set user verification required with webauthn? Then they will need to re-enter pin/biometric for the new login.

So a passkey only for new devices?

[OneOfMany07]

I'm sure having a special password that we never use, except when adding new devices, will solve this password... I mean passkey, security problem.

And that having easy, effective visibility into where our information exists would be too hard for them to implement. That warning users about new devices connecting to sensitive personal data is impossible to do effectively.

Forget Windows turning into Android

[NotEmmanuelGoldstein]

... introduced a six-digit PIN ...

Passkeys were invented so users couldn't give passwords to criminals. So, this undoes all the benefits of passkeys. About 2 years ago, Google made passkeys automatically replace the much more difficult to copy OTP secret, (mostly because stupid people see only the authentication number). So Google is replacing two good something-you-have authenticators with a password: How dumb can Google get?

The second problem was lost passwords, so passkeys turned the phone into the password. Now, it's fix the lost

Pins on passkeys are too insecure, need passwords

[BKed]

Breaking news: it turns out that the pins they put on passkey use are too easy to guess, so users will now have to set new pins that contain both cases of letters and special characters in addition to numbers :)