Microsoft, Google do a victory lap around passkeys

https://www.theregister.com/2024/05/02/microsoft_google_passkeys/

Microsoft today said it will now let us common folk — not just commercial subscribers — sign into their Microsoft accounts and apps using passkeys with their face, fingerprint, or device PIN.

The additional support for Microsoft consumer accounts works across Windows, Google, and Apple platforms, and Redmond described the move as a step closer to its 10-year dream: "A world free of passwords."

As of Thursday, people can sign into their Microsoft accounts using passkeys via desktop and mobile browsers, and we're told mobile app support is coming soon. 

The timing isn't coincidental. Today is also World Password Day, which, albeit a made-up holiday, usually marks the occasion for tech companies to brag about what they are doing to move away from requiring or encouraging users to remember or jot down in some way unique, strong passwords for each app and online service they use.

True to form, Google also marked the occasion by proclaiming that its year-old passkey support hit a milestone.

"Today, we announced that passkeys have been used to authenticate users more than 1 billion times across over 400 million Google Accounts," project managers Sriram Karra and Christiaan Brand said.

When Microsoft rolled out Windows Hello and Windows Hello for Business in 2015, it was detecting about 115 password attacks per second, or so says Redmond's Vasu Jakkal, corporate VP for security, compliance, identity and management, and Joy Chik, president for identity and network access.

As of 2023, that number had increased 3,378 percent to more than 4,000 per second.

"Password attacks are so popular because they still get results," Jakkal and Chik wrote in a blog post announcing the passkey support. 

"It's painfully clear that passwords are not sufficient for protecting our lives online," they said. "No matter how long and complicated you make your password, or how often you change it, it still presents a risk."

Passkeys are based on a FIDO alliance standard that's supported by Apple, Microsoft and Google. Think of them as password replacements.

The tech, simply put, works like this: When you create an account for a website or app, your device generates a cryptographic public-private key pair. The site or app backend gets a copy of the public key, and your device keeps hold of the private key; that private key stays private to your gear. When you come to login, your device and the backend authentication system interact using their digital keys to prove you are who you say you are, and you get to login. If you don't have the private key or can't prove you have it, you can't login.

Your device can secure that private key locally using something like a biometric face scan, a PIN, or a fingerprint. Thus if someone wants to break into your account, they'll need your device and that secret PIN or biometric scan to unlock the private key (or somehow get a copy of the private key). This is seen as more secure than making people remember or store passwords, and ensures a unique key-pair per account. For those wondering about multifactor authentication, it's kinda baked in: Typically a crook will need to get hold of your physical device, and your secret or physical part of you to access the private key.

"Because this key pair combination is unique, your passkey will only work on the website or app you created it for, so you can't be tricked into signing in to a malicious look-alike website," Microsoft explained. "This is why we say that passkeys are 'phishing-resistant.'"

Ultimately, they aim to simplify security for users by relying on a face or fingerprint scan instead of requiring people to remember a unique 47-character password for every damn app and website they access that includes uppercase letters, lowercase letters, numbers, special characters, and the name of your first pet but only if they were a parakeet.

"The best part about passkeys is that you'll never need to worry about creating, forgetting, or resetting passwords ever again," according to Jakkal and Chik.

To be fair, this is probably an overstatement. Criminals are a cunning bunch, and they may find ways to break this latest approach — and we're not talking about cutting off people's fingers or faces. 

But on this World Password Day, here's hoping we can bask in the simplicity and security of passkeys for at least another year. ®

{
"by": "LorenDB",
"descendants": 1,
"id": 40246384,
"kids": [
40253913
],
"score": 3,
"time": 1714735308,
"title": "Microsoft, Google do a victory lap around passkeys",
"type": "story",
"url": "https://www.theregister.com/2024/05/02/microsoft_google_passkeys/"
}
{
"author": "Jessica Lyons",
"date": "2024-05-02T23:00:50.000Z",
"description": "Windows giant extends passwordless tech to everyone else",
"image": "https://regmedia.co.uk/2024/05/02/passkey_shutterstock.jpg",
"logo": "https://logo.clearbit.com/theregister.com",
"publisher": "The Register",
"title": "Microsoft, Google do a victory lap around passkeys",
"url": "https://www.theregister.com/2024/05/02/microsoft_google_passkeys/"
}
{
"url": "https://www.theregister.com/2024/05/02/microsoft_google_passkeys/",
"title": "Microsoft, Google do a victory lap around passkeys",
"description": "Microsoft today said it will now let us common folk — not just commercial subscribers — sign into their Microsoft accounts and apps using passkeys with their face, fingerprint, or device PIN. The additional...",
"links": [
"https://www.theregister.com/2024/05/02/microsoft_google_passkeys/",
"https://www.theregister.com/AMP/2024/05/02/microsoft_google_passkeys/"
],
"image": "https://regmedia.co.uk/2024/05/02/passkey_shutterstock.jpg",
"content": "<div>\n<p>Microsoft today said it will now let us common folk — not just commercial subscribers — sign into their Microsoft accounts and apps using passkeys with their face, fingerprint, or device PIN.</p>\n<p>The additional support for Microsoft consumer accounts <a target=\"_blank\" href=\"https://support.microsoft.com/en-us/account-billing/signing-in-with-a-passkey-09a49a86-ca47-406c-8acc-ed0e3c852c6d\">works across</a> Windows, Google, and Apple platforms, and Redmond described the move as a step closer to its 10-year dream: \"A world free of passwords.\"</p>\n<p>As of Thursday, people can sign into their Microsoft accounts using passkeys via desktop and mobile browsers, and we're told mobile app support is coming soon. </p>\n<p>The timing isn't coincidental. Today is also World Password Day, which, albeit a made-up holiday, usually marks the occasion for tech companies to brag about what they are doing to move away from requiring or encouraging users to remember or jot down in some way unique, strong passwords for each app and online service they use.</p>\n<p>True to form, Google also marked the occasion by proclaiming that its year-old passkey support hit a milestone.</p>\n<p>\"Today, we announced that passkeys have been used to authenticate users more than 1 billion times across over 400 million Google Accounts,\" project managers Sriram Karra and Christiaan Brand <a target=\"_blank\" href=\"https://security.googleblog.com/2024/05/passkeys-on-your-phone-computer-and-security-keys.html\">said</a>.</p>\n<p>When Microsoft rolled out Windows Hello and Windows Hello for Business in 2015, it was detecting about 115 password attacks per second, or so says Redmond's Vasu Jakkal, corporate VP for security, compliance, identity and management, and Joy Chik, president for identity and network access.</p>\n<p>As of 2023, that number had <a target=\"_blank\" href=\"https://www.microsoft.com/en-us/security/blog/2023/07/11/microsoft-entra-expands-into-security-service-edge-and-azure-ad-becomes-microsoft-entra-id/\">increased</a> 3,378 percent to more than 4,000 per second.</p>\n<p>\"Password attacks are so popular because they still get results,\" Jakkal and Chik <a target=\"_blank\" href=\"https://www.microsoft.com/en-us/security/blog/2024/05/02/microsoft-introduces-passkeys-for-consumer-accounts/\">wrote</a> in a blog post announcing the passkey support. </p>\n<p>\"It's painfully clear that passwords are not sufficient for protecting our lives online,\" they said. \"No matter how long and complicated you make your password, or how often you change it, it still presents a risk.\"</p>\n<ul>\n<li><a target=\"_blank\" href=\"https://www.theregister.com/2023/05/04/google_passkey/\">Go ahead, forget that password. Use a passkey instead, says Google</a></li>\n<li><a target=\"_blank\" href=\"https://www.theregister.com/2024/03/27/apple_passcode_attack/\">Apple fans deluged with phony password reset requests</a></li>\n<li><a target=\"_blank\" href=\"https://www.theregister.com/2024/04/15/roku_2fa_for_everyone/\">Roku makes 2FA mandatory for all after nearly 600K accounts pwned</a></li>\n<li><a target=\"_blank\" href=\"https://www.theregister.com/2024/05/02/dropbox_sign_attack/\">Dropbox dropped the ball on security, haemorrhaging customer and third-party info</a></li>\n</ul>\n<p>Passkeys are based on a <a target=\"_blank\" href=\"https://www.theregister.com/2022/03/21/fido_password_killer/\">FIDO alliance standard</a> that's supported by Apple, Microsoft and Google. Think of them as password replacements.</p>\n<p>The tech, simply put, works like this: When you create an account for a website or app, your device generates a cryptographic public-private key pair. The site or app backend gets a copy of the public key, and your device keeps hold of the private key; that private key stays private to your gear. When you come to login, your device and the backend authentication system interact using their digital keys to prove you are who you say you are, and you get to login. If you don't have the private key or can't prove you have it, you can't login.</p>\n<p>Your device can secure that private key locally using something like a biometric face scan, a PIN, or a fingerprint. Thus if someone wants to break into your account, they'll need your device and that secret PIN or biometric scan to unlock the private key (or somehow get a copy of the private key). This is seen as more secure than making people remember or store passwords, and ensures a unique key-pair per account. For those wondering about multifactor authentication, it's kinda baked in: Typically a crook will need to get hold of your physical device, and your secret or physical part of you to access the private key.</p>\n<p>\"Because this key pair combination is unique, your passkey will only work on the website or app you created it for, so you can't be tricked into signing in to a malicious look-alike website,\" Microsoft explained. \"This is why we say that passkeys are 'phishing-resistant.'\"</p>\n<p>Ultimately, they aim to simplify security for users by relying on a face or fingerprint scan instead of requiring people to remember a unique 47-character password for every damn app and website they access that includes uppercase letters, lowercase letters, numbers, special characters, and the name of your first pet but only if they were a parakeet.</p>\n<p>\"The best part about passkeys is that you'll never need to worry about creating, forgetting, or resetting passwords ever again,\" according to Jakkal and Chik.</p>\n<p>To be fair, this is probably an overstatement. Criminals are a cunning bunch, and they may find ways to break this latest approach — and we're not talking about cutting off people's fingers or faces. </p>\n<p>But on this World Password Day, here's hoping we can bask in the simplicity and security of passkeys for at least another year. ®</p> \n </div>",
"author": "",
"favicon": "https://www.theregister.com/design_picker/13249a2e80709c7ff2e57dd3d49801cd534f2094/graphics/favicons/favicon.svg",
"source": "theregister.com",
"published": "2024-05-02t23:03:07z",
"ttr": 154,
"type": "article"
}