Google has rolled out a passkey option that people can use to sign into its services alongside traditional authentication methods, and proclaimed a major step towards a “passwordless future”.
Released in advance of the annual World Password Day security marketing jamboree, the Google passkey is the culmination of a year-long, multi-party effort between Apple, Google and Microsoft, which banded together in 2022 to expand support for the Fast Identity Online Alliance’s (FIDO Alliance’s) FIDO2 specification – enabling users to use passwordless authentication across Android, iOS, Chrome, Edge and Safari browsers, and macOS and Windows computers.
“For some time, we and others in the industry have been working on a simpler and safer alternative to passwords,” wrote Google group product manager Christiaan Brand and Google senior product manager Sriram Karra. “While passwords will be with us for some time to come, they are often frustrating to remember and put you at risk if they end up in the wrong hands.
“So, maybe by next year’s World Password Day, you won’t even need to use your password, much less remember it.”
The concept of a passkey has been around for a while, but their adoption at Google is a clear signal they may now be heading towards mainstream acceptance.
Easier to use than passwords, they allow users to sign in to apps and sites using biometrics, such as fingerprints or facial recognition, or a screen lock PIN, as people have become accustomed to doing when they unlock their smartphones.
Passkeys are considered more secure because, unlike passwords, they cannot be written down or shared, and they are resistant to online attacks such as phishing or social engineering, making them more secure than options such as SMS one-time passcodes (OTPs) that are still used in many multi-factor authentication (MFA) setups.
Google’s passkey will offer both biometric and passcode-based login options, and users who opt in will be asked for them whenever they sign in or try to access sensitive information. The key itself will be stored on the device, and will not share biometric data with Google or other third parties.
Existing authentication options, including passwords, will remain available – not least in part because passkeys are still relatively novel technology and many devices may not yet support them.
Nevertheless, Google said it was going to be paying close attention to how its user base responds, and is looking forward to helping people “take this next leap” towards making authentication more secure.
Google users who want to try passkeys for themselves can activate them here, while Google Workspace administrators will shortly be given the option to enable passkeys for their users.
“Passkeys are the first authentication method that removes human error – delivering security and ease of use,” said 1Password CEO Jeff Shiner.
“With Google turning on passkey support … 1.5 billion people around the world now have the opportunity to adopt passkeys,” he said. “In order to be widely adopted, though, users need the ability to choose where and when they want to use passkeys so they can easily switch between ecosystems.
“As we actively work with other FIDO Alliance leaders to eliminate passwords, we’ll inevitably remove one of phishers’ biggest rewards – credentials. This is a tipping point for passkeys and making the online world safe.”
What’s under the bonnet?
Google’s passkey technology relies on a locally stored cryptographic private key that the user creates. At this point, a corresponding public key is sent to Google so that next time they sign in, the device is asked to sign a unique challenge with the private key. The device only does this if the user approves it, which means they need to be present to unlock the device.
The device additionally ensures the signature can only be shared with Google websites and apps, and not with any malicious phishing sites that may have tried to insert themselves into the chain, meaning the user does not need to be as mindful as they would if they were using passwords and MFA.
Essentially, in signing the challenge with their biometrics or passcode, the user proves to Google the device is theirs since it has the private key, that they were present to unlock it, and that they are genuinely signing into a Google service and not a phishing site.