In a major move forward for passwordless authentication, Google is introducing passkeys across Google Accounts on all major platforms.
In a brief blog post entitled “The beginning of the end of the password,” Google group product manager Christiaan Brand and senior product manager Sriram Karra called passkeys “the easiest and most secure way to sign into apps and websites and a major step toward a ‘passwordless future.'”
Google’s move will make passkeys an additional verification option alongside passwords and two-factor verification. Passkeys can be created within Google accounts at g.co/passkeys.
Passkeys, Brand and Karra wrote, “let users sign into apps and sites the same way they unlock their devices: with a fingerprint, a face scan or a screen lock PIN. And, unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one-time codes.”
Today’s announcement follows a plan introduced a year ago to implement passwordless support for FIDO Sign-in standards in Android and Chrome, with support from Apple and Microsoft. “Passkeys are a safer, faster, easier replacement for your password,” Microsoft corporate vice president of product management Alex Simons wrote at the time. Microsoft began its own move toward passwordless in Sept. 2021.
As Apple software engineering manager Ricky Mondello put it earlier today, “Step 1: Build everyone’s confidence in passkeys. Step 2: Yeet the password.”
Also read: What Is a Passkey? The Future of Passwordless Authentication
Your Device Is Your Password
In a separate blog post published today, Google’s Arnar Birgisson and Diana K. Smetters explained how passkeys work.
A cryptographic private key is stored on your device, and the corresponding public key is uploaded to Google. “When you sign in, we ask your device to sign a unique challenge with the private key,” Birgisson and Smetters wrote. “Your device only does so if you approve this, which requires unlocking the device. We then verify the signature with your public key.”
It also ensures that the signature can only be shared with Google websites and apps. “This means you don’t have to be as watchful with where you use passkeys as you would with passwords, SMS verification codes, etc.,” Birgisson and Smetters wrote.
“When you use a passkey to sign into your Google Account, it proves to Google that you have access to your device and are able to unlock it,” Birgisson and Smetters wrote. “Together, this means that passkeys protect you against phishing and any accidental mishandling that passwords are prone to, such as being reused or exposed in a data breach.”
Syncing Between Devices
Some platforms can sync passkeys to other devices using end-to-end encryption – a passkey created on an iPhone, for example, can also be accessed on other Apple devices that are signed into the same iCloud account. “This protects you from being locked out of your account in case you lose your devices, and makes it easier for you to upgrade from one device to another,” Birgisson and Smetters wrote.
Still, passkeys do allow anyone with physical access to your unlocked device to access your account. “While that might sound a bit alarming, most people will find it easier to control access to their devices rather than maintaining good security posture with passwords and having to be on constant lookout for phishing attempts,” Birgisson and Smetters wrote.
In the short term at least, some challenges remain. In response to a customer query, 1Password tweeted that “support for passkeys in 1Password isn’t available quite yet but will be coming this summer!” Another user noted that passkeys are not yet supported in Google Workspace, observing, “Workspace admins first have to enable passkeys, but the option is not available yet.”
And using Firefox on a MacBook Air with a fingerprint sensor, my attempt to create a passkey returned a frustratingly straightforward error message: “A passkey can’t be created on this device.” Unsurprisingly, though, it worked using Chrome.
Despite any shortcomings or hiccups, Google’s move is a big move forward for passkeys, and a future without passwords in general.