this post was submitted on 08 Jun 2025
11 points (86.7% liked)

degoogle

189 readers
14 users here now

Quit your Google addiction. Use privacy focused Services.

founded 2 months ago
MODERATORS
tfm@europe.pub
11
Google pushing Gmail users to transition to passkeys using biometric data (archive.ph)
submitted 1 day ago by tfm@europe.pub to c/degoogle@europe.pub
4 comments fedilink hide all child comments
 

cross-posted from: https://europe.pub/post/1236359

cross-posted from: https://lemmy.nz/post/23935860

Google warns “passwords are not only painful to maintain, but are also more prone to phishing and often leaked through data breaches.” And that’s the real issue. “It’s important to use tools that automatically secure your account and protect you from scams,” Google tells users, and that means upgrading account security now.

Google says “we want to move beyond passwords altogether, while keeping sign-ins as easy as possible.” That includes social sign ins, but mainly it means passkeys. “Passkeys are phishing-resistant and can log you in simply with the method you use to unlock your device (like your fingerprint or face ID) — no password required.”

This is just one of their excuses, to keep their users inside google's walled-garden

you are viewing a single comment's thread
view the rest of the comments
[–] AE5NE@lemmy.radio 3 points 1 day ago (1 children)

passkeys are way for your a token unlocked by your device’s biometric sensor to validate a request. biometric information is not sent to Google

[–] andybytes@programming.dev 2 points 23 hours ago (1 children)

That's what they always say.

[–] vonbaronhans@midwest.social 1 points 6 hours ago

In this case, it's pretty true. You can view the webauthn protocol, the FIDO2 documentation, etc, that are the foundation of what we know as "passkey" technology.

It's all cryptographic hashes getting sent around, essentially. The more high-grade security implementations are "device-bound passkeys" which do require a minimal amount of hardware registration, though, but you shouldn't ever need to do that unless you're like... accessing sensitive datasets or secure services, at which point you're most likely registering a work device, anyhow.