Google advertises that it goes to great lengths to allow its personal account holders to sign in using password replacements known as “passkeys”. The feature is rolling out today to billions of the company’s accounts, and users will be able to proactively search for it and turn it on. Google says it plans to promote passkeys in the coming months and begin requiring account holders to convert their traditional login username and password into a passkey.
Password-based authentication has been standard across the Internet (and computing in general) for decades, but the system suffers from serious security problems, namely that attackers can steal your password or trick you into giving it to them in phishing attacks. The passkey scheme is specifically designed to handle phishing attacks by relying on a different model that uses encryption keys stored on your devices for account authentication.
In the year since the industry association known as the FIDO Alliance began publicly promoting the rollout of passkeys, the makers of the world’s largest consumer operating systems—Microsoft, Google, and Apple—have released the infrastructure needed to support passkeys. But if you’ve never used a passkey in your daily life, you’re far from alone.
The next step toward passkey adoption is to actually service passkeys as a login option for user accounts. So far, companies like PayPal, Shopify, CVS Health, Kayak, and Hyatt have fallen behind. The release of PassKeys to Google users today is noteworthy given the company’s resources and sheer scale.
“It’s very, very important,” says Andrew Chekyar, executive director of the Fido Alliance. “It’s an inflection point. A company like Google is enabling this as many people see logins with passkeys and are more likely to use them elsewhere. It will also accelerate other companies’ deployment plans and help them spread better, because we will learn from this as a body.” “.
You can log in with passkeys using biometric sensors such as fingerprint or facial scanners, a smartphone device lock PIN, or physical authentication dongles such as YubiKeys. To transfer your Google account, you’ll go to this link, sign in with your username, password, and any additional authentication factors you’ve set up, and then click “+Create Passkey” on the device you’re using.
“We have an opportunity here to change the way users think about logging in,” says Christian Brand, product manager of Identity and Security at Google and co-chair of the FIDO2 Technical Working Group. “If we can change the way signing in to your Google account works, we hope that consumers will start to get more accustomed to the technology, as well as signal to the industry that we’re not just you speak About this stuff – it’s ready for primetime adoption.”
Passkeys can sync between your devices through end-to-end encrypted services like Google Password Manager and iCloud Keychain. Or you can set up passkeys on multiple devices by creating a QR code on a device signed in to your Google account that will scan another device you want to sign in.
All passkeys for your Google account will be listed on the Manage Passkey Page, where you can review and revoke them. You can also store a passkey for your account on the device of someone you trust as a recovery option. If you issued a passkey to sign in to your Google account on a shared device, be sure to revoke it once you’re done.
“What doesn’t help is when a vendor or developer rolls out the passkey for iOS only or when they roll it out for Android only. That’s not how passwords work. Passwords are everywhere,” Brand says, “so for us, it was important to cover The widest possible selection of devices on launch day, without cuts.”
Google says that even once you create a passkey for your account (or five), your traditional login username and password won’t go anywhere, and you can still use it if you want to. But the company is betting that once people get used to passkeys, they’ll like them better and find them easier to manage than passwords. And once you set up a passkey on a device, Google will automatically detect it and prompt you to sign in that way from now on.
Brand says that in early tests with a few thousand users, passkey login success rates were immediately higher than traditional username and password logins. This isn’t to say that there won’t be what the brand calls “rough edges” or use cases where there are passkey errors. But Google says it hopes to discover and iron out as many of these issues as possible, so smaller organizations can feel more confident implementing passkeys.
Google’s announcement comes on the eve of World Password Day on Thursday. But passkey proponents are stepping up their efforts to make the occasion obsolete.
“In the end, it will be like International Horse and Buggy Day, I think,” Chekyar says. “For now, it’s a good reminder of the challenge we face getting rid of passwords.”