At the microphone of Clubic, Thiébaut Meyer, cybersecurity director at Google Cloud, insists on the interest of famous passkeys, or security keyswhich aim to bring online protection into a new era, by gradually eliminating passwords.
User authentication has always been a sea serpent, and the perfect solution has admittedly never been found. Depending on the circumstances, it doesn’t take more than a few minutes or even a few seconds for a hacker to bypass an 8-character password. “ Have someone have one 20 character password per site or app, and change them every 6 months “, you will see that it is infeasible, we are warned.
Password managers can also fail, Google revised its orientations by pushing for double authentication (validation code, SMS, etc.), because it was ultimately no longer satisfied with the sole password as protection. But the Mountain View firm wanted to go further with security keys. We discussed the interest of this advance at the Security Conference in Monaco with Thiébaut Meyer, cybersecurity director at Google Cloud.
Security keys, the more reliable and easier alternative to passwords
In recent days, Google has intensified its campaign to eliminate passwords by activating by default an option that allows them to be ignored as soon as possible (and which can be deactivated from the settings) by replacing them with a passkey. This can take the form of a fingerprint, a PIN code or a scan of your face. A time saving of 40% to unlock your device is mentioned, compared to a password.
“ With the password, we share a secret between the user and the site on which we authenticate. With passkeys, it’s different: each user will have an access key per site, a key that they no longer need to know, write down or keep in the back of their mind », explains Thiébaut Meyer.
How do passkeys work?
Take your smartphone in which the key is stored. To unlock it, you’ll use phone authentication, which will help unlock the key and then seamlessly send it to the site you want to authenticate to. “ We have both simplicity of use and a level of security, since we are dealing with a complex chain that the user does not have to remember. », specifies Thiébaut Meyer.
Passkeys can be used in a Safari, Google or Microsoft environment. A little everywhere, then. Google states: this work was carried out in collaboration with other suppliers working in the FIDO Alliance, of which the company is a part (and which brings together many companies developing authentication standards), just like Uber and eBay . “ It is by working with other actors that we achieve standards that are open, shared and used by everyone. This is how we manage to increase the level of security. Clearly, it is not by each working on our own protocol that we will achieve this. », notes the man who has worked in cybersecurity for many years.
Google’s idea is not to wring passwords in three months, but to convince users of the evolution that security keys represent, and the improvement of security and comfort . As for making passports compulsory, this is not an option today.
No question of imposing passkeys on users, for the moment…
“ Even without imposing it, I think that people will quickly see the benefit of this solution, particularly through the ergonomics and ease of use that you get from it via your phone. Maybe some sites will impose it, they are free. But personally, I think everything will happen naturally », explains Thiébaut Meyer, confident about the adoption of passeskeys by the general public. A general public who nevertheless finds it difficult to shake up their habits. But Rome was not built in a day.
Despite the undeniable contributions of the concept of the security key, it should not be seen as the miracle solution that will solve all the problems of the cyber planet. Take the example of biometrics and fingerprinting. The scenario is not trivial, we grant you that, but a malicious individual is quite capable of taking your fingerprint on a table, a bottle or other. Enough to bypass this security key?
“ Zero risk will never exist, any more in this technology than in any other. The idea remains that when we try to find another protocol, another security standard, we ask ourselves how we can generally raise the level. And there, with the passkeys, I think that compared to the password, we take security up a notch “, defends Thiébaut Meyer. “ Yes, we can find your print, my print. Once you have it, someone still has to steal my phone. But it will definitely be harder than stealing my password. »
The discussion with Thiébaut Meyer reminds us of the crucial importance of rethinking the way we ensure our security online. While no solution is completely infallible, passkeys are emerging as a promising method to greatly reduce the risk of being tricked or seeing your password fall into a hacked database, then recovered and exploited by hackers.
11