Google is announcing a major effort to let its personal account holders log in with the password replacement known as “passkeys.” The feature launches today for the company’s billions of accounts, and users will be able to proactively seek it out and turn it on. Google says it plans to promote passkeys in the coming months and start nudging account holders to convert their traditional username and password login to a passkey.
Password-based authentication has been standard across the internet (and computing in general) for decades, but the system has serious security issues, namely that attackers can steal your password or trick you into giving it to them in phishing attacks. The passkey scheme is specifically designed to address phishing attacks by relying on a different model that uses cryptographic keys stored on your devices for account authentication.
In the year since the industry association known as the FIDO Alliance began publicly promoting the rollout of passkeys, the makers of the world’s biggest consumer operating systems—Microsoft, Google, and Apple—have launched the necessary infrastructure to support passkeys. But if you still have never used a passkey in your daily life, you’re far from alone.
The next step toward passkey adoption is for services to actually offer passkeys as a login option for user accounts. So far, companies like PayPal, Shopify, CVS Health, Kayak, and Hyatt have taken the plunge. Today’s launch of passkeys for Google’s users is noteworthy given the company’s resources and sheer scale.
“It’s very, very significant,” says Andrew Shikiar, executive director of the FIDO Alliance. “It’s an inflection point. A company like Google enabling this with so many people actually seeing passkey sign-ins, they’ll be more likely to use them elsewhere. And it will also accelerate other companies’ deployment plans and help them deploy better, because we will learn from this as a body.”
You can log in with passkeys using biometric sensors like fingerprint or face scanners, your smartphone’s device lock PIN, or physical authentication dongles like YubiKeys. To transition your Google account, you’ll navigate to this link, log in with your username, password, and any additional authentication factors you have set up, and then click “+ Create a passkey” on the device you’re using.
“We have an opportunity here to change the way users think about signing in,” says Christiaan Brand, an identity and security product manager at Google and co-chair of the FIDO2 technical working group. “If we can change the way that signing in works for your Google account, we hope that consumers will start to get more accustomed to the technology, and also signal to industry that we’re not just talking about this stuff—it is ready for prime-time adoption.”
Passkeys can sync between your devices through end-to-end encrypted services like Google Password Manager and iCloud Keychain. Or you can set up passkeys on multiple devices by generating a QR code on a device that’s logged in to your Google account that will anoint another device where you want to log in.