It’s been a while since Google introduced its passkey login system which users won’t need to set and remember passwords in order to log in to their accounts. Now, Google is giving its users option to switch to passkey-only login for their accounts.
It simply works like this on your mobile phone (which needs biometrics implemented): type your username, pick a passkey, scan your finger/face. I’m not gonna lie, this is absolutely awesome. It’s a wonderful feature which makes logging in and signing up pretty easy and not a pain in the ass.
However, being forced to use biometrics to be able to use this feature is not what many people such as myself would like. I would like to be able to set a pattern to log in or type a pin or password on my mobile phone. I don’t like to share or store my biometric data (such as fingerprints and/or face scan) with my mobile phone no matter how safe or privacy-promising they are.
Also, this system is built using proprietary software. The passkey is a certificate that gets stored on your device. Your device shares a signature (not the certificate) with the service you’re signing into to prove you have access to the certificate. But they’re issuing you the cert through their proprietary software.
1Password’s passkey page also has a video saying that passkeys weren’t open enough. The video says, “Today’s solutions don’t deliver on that promise of openness and interoperability. If you create a password on your iPhone or Android device today, it’s pretty much trapped. It’s not easy to share, move it to another platform or sync with your preferred password manager. We can do better. And that’s why we’re excited to show you what the future could look like, if passwordless technology were more open.”
The whole passkey system is not something new though. The system works the way many public/private key systems, such as GPG/PGP, work. And our community, which is free and open, can build something like that. I would really like it if I could sign up on services giving them my public PGP key and when I want to sign in, I just sign a random message given to me to prove my identity.
Wouldn’t that be amazing? What I have in mind is simple. When I face a registration form, instead of setting a password or email address, i would like to paste my PGP public key in the form. Then system saves or remembers the public key and whenever I want to sign in, it generates a random message for me to sign. Then I sign the message using the private key which I have (and only me has access to it) and the system checks if the message is signed by the correct key and if it checks out, it logs me in.
Now I know it may sound kind of hard to do or more frustrating than simply typing your password or clicking on your password manager button for it to insert it for you but wouldn’t that be a good signing and logging system to use? Isn’t that more private than what we already have? And it can be synced with whatever device we have or want. We just need to sync our secret keys using infinite libre tools we already have.
And the amazing part is that it can be built using free software only. No proprietary program is needed to implement this and even password managers can implement and use it and it won’t be limited to any kind of operating system or computer.
What I’m proposing may not be perfect or even easy for many users but I’m sure it can be improved and it’ll work way better for everyone and it won’t be limited to big tech to decide who and how people can use it. If you have any idea or suggestion about this please inform me or, better, publish a blog or a social network post and send me the link so we can discuss it.
And if there’s a legal thing behind using ideas or anything, I have not read or heard a similar idea so if you though or have wrote about this before I did, I’m sorry. If you want to build a system based on my idea, you won’t need any permission so just go ahead. Although I would be happy if you inform me so I know somebody is working on something like this.