Retiring password: Google transitions to passkeys to enhance online security by restricting phishing

Retiring password: Google transitions to passkeys to enhance online security by restricting phishing


The tech industry’s transition to passkeys gets its first massive boost with the launch of the alternative login scheme for Google’s billions of users.

Google is announcing a major effort to let its personal account holders log in with the password replacement known as “passkeys.” The feature launches today (May 4) for the company’s billions of accounts, and users will be able to proactively seek it out and turn it on.

Google says it plans to promote passkeys in the coming months and start nudging account holders to convert their traditional username and password login to a passkey.

Password-based authentication has been standard across the internet (and computing in general) for decades, but the system has serious security issues, namely that attackers can steal your password or trick you into giving it to them in phishing attacks.

The passkey scheme is specifically designed to address phishing attacks by relying on a different model that uses cryptographic keys stored on your devices for account authentication.

In the year since the industry association known as the FIDO Alliance began publicly promoting the rollout of passkeys, the makers of the world’s biggest consumer operating systems – Microsoft, Google, and Apple – have launched the necessary infrastructure to support passkeys. But if you still have never used a passkey in your daily life, you’re far from alone.

The next step toward passkey adoption is for services to actually offer passkeys as a login option for user accounts. So far, companies like PayPal, Shopify, CVS Health, Kayak and Hyatt have taken the plunge. Today’s launch of passkeys for Google’s users is noteworthy given the company’s resources and sheer scale.

“It’s very, very significant,” says Andrew Shikiar, executive director of the FIDO Alliance. “It’s an inflection point. A company like Google enabling this with so many people actually seeing passkey sign-ins, they’ll be more likely to use them elsewhere. And it will also accelerate other companies’ deployment plans and help them deploy better, because we will learn from this as a body.”

You can log in with passkeys using biometric sensors like fingerprint or face scanners, your smartphone’s device lock PIN, or physical authentication dongles like YubiKeys. To transition your Google account, you’ll navigate to this link, log in with your username, password, and any additional authentication factors you have set up, and then click “+ Create a passkey” on the device you’re using.

“We have an opportunity here to change the way users think about signing in,” says Christiaan Brand, an identity and security product manager at Google and co-chair of the FIDO2 technical working group. “If we can change the way that signing in works for your Google account, we hope that consumers will start to get more accustomed to the technology, and also signal to industry that we’re not just talking about this stuff – it is ready for prime-time adoption.”

Passkeys can sync between your devices through end-to-end encrypted services like Google Password Manager and iCloud Keychain. Or you can set up passkeys on multiple devices by generating a QR code on a device that’s logged in to your Google account that will anoint another device where you want to log in.

All of your Google account passkeys will be listed on the “Passkey Management Page,” where you can review and revoke them. You can even store a passkey for your account on the device of someone you trust as a recovery option. If you issue a passkey to log into your Google account on a shared device, be sure to revoke it once you’re done.

“What doesn’t help is when a vendor or developer only rolls out passkey for iOS or only rolls it out for Android. That’s not how passwords work; passwords are ubiquitous,” Brand says. “So for us, it was important to cover as wide a range of devices as possible on launch day, no carve-outs.”

Google says that even once you make a passkey for your account (or five), your traditional username and password login isn’t going anywhere, and you can still use it if you choose. But the company is betting that once people get used to passkeys, they’ll like them better and find them easier to manage than passwords. And once you’ve set up a passkey on a device, Google will automatically detect it and prompt you to log in that way going forward.

Brand says that in early tests on a few thousand users, sign-in success rates with passkeys were immediately higher than for traditional username and password logins. That doesn’t mean there won’t be what Brand calls “rough edges” or use cases where there are passkey bugs. But Google says it hopes to discover and iron out as many of these issues as possible, so smaller organisations can feel more confident implementing passkeys.

Google’s announcement comes on the eve of World Password Day on Thursday. But passkey proponents are ramping up their efforts to make the occasion obsolete.

“Eventually, it’s going to be like World Horse and Buggy Day, I think,” Shikiar says. “For the time being, it’s a good reminder of the challenge we have to get rid of passwords.”

  • A Wired report
About author

Your email address will not be published. Required fields are marked *