Back to all videos

Are passkeys based on biometrics?

By Chrome for Developers

CybersecurityAuthentication MethodsCryptography
Share:

Key Concepts

  • Pass Key: A replacement for passwords, offering enhanced security and ease of use. It's based on public-private key cryptography.
  • Public-Private Key Pair: A cryptographic mechanism where a public key is used for encryption or verification, and a private key is used for decryption or signing.
  • Biometric Authentication: The use of unique biological characteristics (like fingerprints or facial scans) to verify a user's identity.
  • Password Manager: A tool that securely stores and manages passwords and pass keys, often syncing them across devices.
  • Public Key Cryptography: A cryptographic system that uses pairs of keys: a public key that can be freely shared, and a private key that must be kept secret.

How Pass Keys Work and Their Relationship with Biometrics

This video explains the fundamental workings of pass keys and clarifies the role of biometrics in their implementation. The core message is that while biometrics are often used to unlock pass keys, they are not the primary security mechanism and the biometric data itself never leaves the user's device.

What is a Pass Key?

  • A pass key is presented as a superior alternative to traditional passwords.
  • It allows users to log into websites and applications in a more secure and convenient manner.
  • Technically, a pass key is built upon a public-private key pair.
  • Unlike passwords, users do not need to remember or save pass keys; they are automatically generated and unique for each website and account.
  • Pass keys are stored securely on behalf of the user, either within a device's password manager or on a physical security key.
  • The video strongly recommends using a password manager that syncs pass keys across devices, such as Google Password Manager, for optimal convenience.

The Role of Biometrics in Pass Key Authentication

  • When signing in, users are often prompted to verify their identity. This is where biometrics, such as fingerprint scans or facial recognition, come into play.
  • Crucially, biometric data (fingerprints, face scans) never leaves the user's device and is not shared with the website.
  • This biometric check is performed entirely locally by the password manager.
  • The password manager requires this local verification before it will access the pass key to facilitate the sign-in process.
  • This adds an extra layer of security, preventing unauthorized access even if someone gains access to the user's device.

The Technical Underpinnings of Pass Key Authentication

  • The video clarifies that the biometric data is not what is being transmitted.
  • At a technical level, a pass key refers to the private key of a public-private key pair generated for a specific website and account combination.
  • Once the password manager confirms the user's identity (often via biometrics), it does not send the pass key itself to the website.
  • Instead, the password manager uses the private key to perform a calculation with a payload.
  • The result of this calculation is then sent to the website. This result serves as proof that the user possesses the correct private key.
  • The website, using the associated public key, can then verify this result and complete the sign-in process.
  • This process reiterates that both the pass key (private key) and biometric data remain on the user's device.

Security and Privacy Assurance

  • Users can be assured that there is no risk of their biometric data being leaked, sold for profit, or used for tracking purposes.
  • Biometric authentication is described as a "small part" of using pass keys, and in some scenarios, it may not be involved at all.
  • The video emphasizes that public key cryptography is the fundamental technology enabling the benefits of pass keys.

Conclusion

Pass keys offer a secure and user-friendly alternative to passwords, leveraging public-private key cryptography. Biometrics play a role in unlocking access to these pass keys, but this verification is strictly local and the sensitive biometric data never leaves the user's device. The true security and functionality of pass keys are derived from the underlying public key cryptography, not from the transmission of biometric information.

Chat with this Video

AI-Powered

Hi! I can answer questions about this video "Are passkeys based on biometrics?". What would you like to know?

Chat is based on the transcript of this video and may not be 100% accurate.

Related Videos

Ready to summarize another video?

Summarize YouTube Video