Go ahead, forget that password. Use a passkey instead, says Google

Google wants to take us further into a passwordless future by allowing personal account holders to login using passkeys rather than using passphrases and multifactor authentication (MFA).

Passkeys are the latest hope for allowing organizations and regular folk to move away from passwords. And when we say passkeys, think of things like biometric-reading phone apps that can be used to authenticate yourself and gain access to accounts, though these keys can take various forms.

You hopefully for important accounts use a password and some form of MFA to authenticate yourself: that's something you know (the passphrase in your head or password manager) and something you have (such as a hardware token or one-time-code generator). A crook would therefore need both the thing you know and the thing you have to login as you. Passkeys replace passwords and MFA, by being something you have (your phone and biometric passkey app) and something you are (your fingerprint).

Passkeys are being adopted by the likes of Apple and Microsoft, which, like Google, have long been vocal about the need to do away with passwords entirely, replacing them and MFA with passkeys.

"Using passwords puts a lot of responsibility on users," Arnar Birgisson and Diana Smetters, engineers with Google's Identity Ecosystems, wrote in an announcement on Wednesday. "Choosing strong passwords and remembering them across various accounts can be hard. In addition, even the most savvy users are often misled into giving them up during phishing attempts."

There are myriad other problems with passwords. Users can have tens or hundreds of accounts and may reuse passwords or rely on simple ones – "password" and "123456" tend to be popular – to make it easier to remember them.

MFA is not the full answer

Having MFA is better than nothing though it still puts the burden on users who have to deal with an additional verification step, and it doesn't fully protect against phishing, credential stuffing, and targeted scams like SIM swaps for text verification. There's nothing stopping cunning miscreants from collecting MFA codes along with usernames and passwords from phishing pages.

In addition, password managers solve the issue of memorizing strong passwords but themselves can be problematic: you are putting all your eggs in one basket, so to speak, and things like the security breaches at LastPass make some of us nervous about the whole arrangement.

"Passkeys help address all these issues," Birgisson and Smetters argued.

Passkeys are based on a standard developed by the FIDO Alliance and the World Wide Web Consortium. The keys are stored on a device and integrate with it hardware's biometric readers – think fingerprint or face scanners accessed via Apple's Face ID or Microsoft's Windows Hello.

Rather than relying on usernames and passwords and MFA tools, passkeys thus use the biometric information and the device itself to authenticate users. Now Google Account users will have this option and can take the first step here.

"When you add a passkey to your Google Account, we will start asking for it when you sign in or perform sensitive actions on your account," the software engineers wrote. "The passkey itself is stored on your local computer or mobile device, which will ask for your screen lock biometrics or PIN to confirm it's really you. Biometric data is never shared with Google or any other third party – the screen lock only unlocks the passkey locally."

No more password miscues

Because passkeys only exist on the device and, unlike passwords, can't be written down or accidentally given to – or stolen by – miscreants, in theory, they hopefully protect against phishing and other attacks, and can't be reused elsewhere or exposed via database leaks.

• Multi-factor auth fatigue is real – and it's why you may be in the headlines next
• PayPal ditches passwords, at least on Apple devices
• Microsoft says it's boosted phishing protection in Windows 11 22H2
• 1Password's Insights tool to help admins monitor users' security practices

That's important, given that 82 percent of security breaches in 2021 were due to stolen credentials, phishing attacks, and human error, putting a premium on password protection, Verizon said in its Data Breach Investigations Report last year.

The idea of passkeys is gaining momentum. Apple's iOS 16 and macOS Ventura support passkeys and Google late last year began to support passkeys for Chrome on Android, Windows, and macOS. Microsoft is also moving toward passkeys.

There is a growing list of online services that are also supporting the passwordless security tool, including PayPal, eBay, WordPress, and Kayak.

In addition, startups like Hanko are developing passkey technologies. In November 2022, password manager company 1Password bought passkey startup Passage "to help accelerate the adoption of passkeys for developers, businesses, and their customers," CEO Jeff Shiner said at the time.

Easing into the change

"Passkeys are still new and it will take some time before they work everywhere," Birgisson and Smetters wrote.

"However, creating a passkey today still comes with security benefits as it allows us to pay closer attention to the sign-ins that fall back to passwords. Over time, we'll increasingly scrutinize these as passkeys gain broader support and familiarity."

That said, using passkeys doesn't mean consumers can only use their phones when they log in. Passkeys can be created for other devices such as PCs, laptops, or tablets, and some platforms will back up passkeys and sync them to other devices. A passkey for an iPhone can be used on other Apple devices logged on to the same iCloud account.

We can imagine some of you are uncomfortable with the consolidation of passwords and MFA into passkeys. For Google Account holders, existing verification methods – including passwords and MFA – will still work, just in case they're using devices that don't yet support passkeys.

However, "if you sign in on a device shared with others, you should not create a passkey there. When you create a passkey on a device, anyone with access to that device and the ability to unlock it, can sign in to your Google Account," the Googlers wrote.

Finally, passkeys can also be used for those enrolled in Google's Advanced Protection program. ®