It would be nice to skip the page where you press the "Next" confirmation button to ask if you want to log in with the pass key and automatically display the authentication screen. If it's set as the default authentication tool, I think we should make sure to choose an option or fail it.
As a developer I am excited about this authentication method build on top of Webauthn. As a - sometimes a bit paranoid - user I fear that I'd have to use the OS or browser vendors credential managers to sync the private keys instead of FOSS and storage of my choosing. I curious about the way this will develop.
Hello, thank you for the explanation, but how can one change from two factors authentication, (like Google or Apple) to passkey, or whether any website or app, they must first give way to use passkey?
Could passkeys be the sole method for signing up and logging in, or does it need to rely on a traditional authentication mechanism? And is it still necessary to have the user enter a unique username or email address?
Does this make it possible to create anonymous user authentication? It seems this removes the need for a unique identifier such as email addresses for users to log in, in that case there is no need to know the identity of the user. Really cool for privacy-first apps!
I don't know what you exactly mean by anonymous user authentication, but creating an anonymous account is totally possible with a passkey. Though, it's already possible with a password too. It's just a matter of the service's preference to ask the user's email address.
Yes, passkeys created on Android are backed up and synced with Android devices that are signed in to the same Google Account, in the same way as passwords are backed up to the password manager. That means user's passkeys go with them when they replace their devices. To sign into apps on a new phone, all the user needs to do is to verify themselves with their existing device's screen lock. developers.google.com/identity/passkeys/faq#what_happens_if_a_user_loses_their_device
that means the user still needs to login using pass + 2nd factor to login to their new devices... which means the android (google) itself can NOT be only supported by passkey.@@agektmr
As I understand there are Roaming authenticators (Phone, USB, etc) and Platform authenticators (Laptop, Desktop). When I experimented last there was issue if user creates account on website using a platform authenticator which is likely more convenient, then later they try login to the account from their phone, but they can't since it is a different device. From what I understood in the video, FIDO's solution to mitigate this is to allow syncing credentials across devices. Can you explain more about this works? It was my understanding these credentials don't leave the TPM (Trusted Platform Module) and I didn't understand how they could be shared. It seems like the boundary between Roaming and Platform is less clear now, and perhaps doesn't matter. Although the synchronization may be extra level of complexity for users.
A passkey created on a device is actually a private key and some metadata, and it will be synchronized across devices through the credential provider - for Google's case, Google Password Manager. It's encrypted on the device and needs to be decrypted on the sync'ed device. To learn how it works more, please read developers.google.com/identity/passkeys/supported-environments or passkeys.dev/device-support/
So far a great presentation, and I expect the presenter is likely a great engineer at Google. So props to him. But for a presentation like this, would it not make sense to have someone who is more fluent - or rather, has less of a foreign accent - to actually present it? No disrespect to anyone intended, I just wonder at the idea.
I suppose the difficulty here is the variety in the audience. Is this globally targeted? Does this accent make it easier to understand for a large group of people, just a different group to the one I am a part of? How many variations would it make sense to publish? A couple for each major language .. perhaps a dozen in english, for those with different cultural backgrounds and strong accents?
Join the conversation in the comments below for a chance to get your questions answered by the Chrome team. 👇👇🏻👇🏿👇🏽 👇🏾👇🏼
It would be nice to skip the page where you press the "Next" confirmation button to ask if you want to log in with the pass key and automatically display the authentication screen. If it's set as the default authentication tool, I think we should make sure to choose an option or fail it.
FedCM FTW! Thank you !!
Good video, thanks.
As a developer I am excited about this authentication method build on top of Webauthn. As a - sometimes a bit paranoid - user I fear that I'd have to use the OS or browser vendors credential managers to sync the private keys instead of FOSS and storage of my choosing. I curious about the way this will develop.
The plan is you will be able to choose a password manager of your choice for passkeys starting Android 14.
@@agektmr Sounds great. Thank you.
Thanks
Hello, thank you for the explanation, but how can one change from two factors authentication, (like Google or Apple) to passkey, or whether any website or app, they must first give way to use passkey?
Could passkeys be the sole method for signing up and logging in, or does it need to rely on a traditional authentication mechanism? And is it still necessary to have the user enter a unique username or email address?
Does this make it possible to create anonymous user authentication? It seems this removes the need for a unique identifier such as email addresses for users to log in, in that case there is no need to know the identity of the user. Really cool for privacy-first apps!
I don't know what you exactly mean by anonymous user authentication, but creating an anonymous account is totally possible with a passkey. Though, it's already possible with a password too. It's just a matter of the service's preference to ask the user's email address.
whats the word on using a passkey on a shared account. for example i shared a profile with 2 others can I safely add a passkey that only I will use?
01:32 "as a developer you only store a public key instead of a password" - why would you as a developer store a password instead of password hash?
What happens when the user deletes created passkey? How can I bind this user with an account in my service?
Is there a solution for situtations when the phone is stolen or broken that also non-technical users can understand?
Yes, passkeys created on Android are backed up and synced with Android devices that are signed in to the same Google Account, in the same way as passwords are backed up to the password manager. That means user's passkeys go with them when they replace their devices. To sign into apps on a new phone, all the user needs to do is to verify themselves with their existing device's screen lock. developers.google.com/identity/passkeys/faq#what_happens_if_a_user_loses_their_device
that means the user still needs to login using pass + 2nd factor to login to their new devices... which means the android (google) itself can NOT be only supported by passkey.@@agektmr
As I understand there are Roaming authenticators (Phone, USB, etc) and Platform authenticators (Laptop, Desktop). When I experimented last there was issue if user creates account on website using a platform authenticator which is likely more convenient, then later they try login to the account from their phone, but they can't since it is a different device.
From what I understood in the video, FIDO's solution to mitigate this is to allow syncing credentials across devices. Can you explain more about this works? It was my understanding these credentials don't leave the TPM (Trusted Platform Module) and I didn't understand how they could be shared. It seems like the boundary between Roaming and Platform is less clear now, and perhaps doesn't matter. Although the synchronization may be extra level of complexity for users.
A passkey created on a device is actually a private key and some metadata, and it will be synchronized across devices through the credential provider - for Google's case, Google Password Manager. It's encrypted on the device and needs to be decrypted on the sync'ed device. To learn how it works more, please read developers.google.com/identity/passkeys/supported-environments or passkeys.dev/device-support/
@@agektmr Can Google Password Manager sync the private key from Android to iOS? In another words, can I register on Android and login on iOS?
@@wnbot Not yet, but we do plan to do that.
Can I use a passkey to sign into my Chromebook?
You can use your phone to sign in on Chromebook, now. In the future, you'll be available to use the device's biometric sensor to sign in to websites!
What the differences with normal webauthn?
To create and authenticate with passkeys, you use WebAuthn and there's nothing different from web developer perspective.
So far a great presentation, and I expect the presenter is likely a great engineer at Google. So props to him. But for a presentation like this, would it not make sense to have someone who is more fluent - or rather, has less of a foreign accent - to actually present it? No disrespect to anyone intended, I just wonder at the idea.
I suppose the difficulty here is the variety in the audience. Is this globally targeted? Does this accent make it easier to understand for a large group of people, just a different group to the one I am a part of? How many variations would it make sense to publish? A couple for each major language .. perhaps a dozen in english, for those with different cultural backgrounds and strong accents?