Google has started offering the option to log in using passkeys, which eliminates the need to remember complex passwords. The announcement on Google passkey came on May 3, on the eve of this year’s World Password Safety Day.
Passkeys use cryptographic security anchored to a user’s phone or computer and often incorporate biometric authentication.
Google has previously integrated passkey support into its Android phone software and Chrome web browser but has only now announced the ability to use passkeys to log onto Google websites. Users can still use other login methods alongside passkeys for now.
“Over the past year we’ve shared updates on bringing passkey experiences to both Chrome and Android, which services like Docusign, Kayak, PayPal, Shopify and Yahoo! Japan have already deployed to streamline sign-in for their users,” Google executives Christiaan Brand and Sriram Karra said in a blog post on 3 May.
“Starting today, this will be available as an option for Google Account users who want to try a passwordless sign-in experience.”
Google, passkeys, and passwords
“When you add a passkey to your Google Account, we will start asking for it when you sign in or perform sensitive actions on your account,” wrote Google executives Arnar Birgisson and Diana K Smetters in an explainer.
“The passkey itself is stored on your local computer or mobile device, which will ask for your screen lock biometrics or PIN to confirm it’s really you.”
Traditional passwords are often weak and easily guessable, leading to credential stuffing attacks. Dual factor authentication can provide additional security, but can also have its own issues.
Passkeys, however, are designed to sidestep these problems using cryptographic standards to protect authentication. The Fast Identity Online Alliance (FIDO) repurposed these standards to make authentication easier and more affordable.
FIDO, the open industry association launched in February 2013, works towards developing and promoting authentication standards that “help reduce the world’s over-reliance on passwords”.
“Passwords endure despite the growing consensus their use needs to be reduced, if not replaced. But even though effective PKI and strong authentication solutions have existed for years, barriers to widespread adoption persist,” said the FIDO mission statement.
“Consumers don’t like the user experience, and online service providers don’t want the cost and complexity of developing and provisioning their own dedicated solutions.”
While the Google passkey announcement is significant, other companies have already integrated passkey login support, including eBay, Docusign, PayPal, and Shopify.
Passkeys work by authenticating locally on a user’s device, rather than relying on a website’s service. This method mitigates the risk of phishing attacks.
Passkeys can be set up on multiple devices, and Google also offers a QR code scanning mechanism for temporary logins on unfamiliar devices.
Industry buoyant on Google passkeys
Authentication industry has welcomed the Google passkey announcement enthusiastically.
“With Google turning on passkey support today, more than 1.5 billion people around the world now have the opportunity to adopt passkeys,” Jeff Shiner, CEO of 1Password, wrote in a blog post.
“As we actively work with other FIDO Alliance leaders to eliminate passwords, we’ll inevitably remove one of phishers’ biggest rewards – credentials. This is a tipping point for passkeys and making the online world safer.”
The move to abandon passwords have been gaining strength in the recent years. Security risks associated with passwords have pushed the growth of access authentication businesses.
“Nearly all IT professionals (~95%) agree that passwords pose real security risks to their organization,” said a report by security and networking company Nomios.
“People have been using weak passwords for as long as we can remember, then there’s mishandling passwords (writing them on post-its) and reusing the ones we feel comfortable with.”
The human element in password management aggravates the situation.
“Humans are really bad at creating randomness. So when it comes to creating passwords and remembering passwords, human-made passwords are generally not very strong,” wrote Nick Steele, Research Lead at Superlunar and co-chair of the WebAuthn Adoption Community Group.
“And humans also tend to use heuristics and elements that they can reuse over and over. So even passwords that are created by humans that are slightly different, still tend to be pretty easy to crack.”