Google adds passkeys for passwordless access to Google accounts

Google has added passkey support for passwordless access to Google accounts across all of its platforms, in a new announcement. Passkey support will now allow Google account holders to sign into services and applications without entering a password or using two-step verification.

The move is a massive step forward in what Google hopes is the beginning of the end of the password. Passwords have become rampant targets for hackers, nefarious actors and a fundamental weakness in cybersecurity for decades.

Passkeys can be enabled today on any of Google’s billions of user accounts worldwide, and the company is not charging for the security capability.

Google Workspace administrators will soon have the option to enable passkeys for their end-user Workspace accounts during sign-in. In the meantime, users can still utilize passwords and two-step verification.

How to create a Google Passkey and avoid using a password for your Google account. (Source: YouTube)

What is a Passkey? And how does a Passkey work?

If you’re not sure what a passkey even is, no sweat. A passkey is a sign-in mechanism that allows a user to access an account the same way they access their devices: a face scan, fingerprint, or screen lock PIN. It could be a biometric signature, PIN or pattern used to sign into an account which removes the need for remembering (and managing) a password.

Passkeys are resistant to online attacks like phishing, SMS one-time codes, and password attacks like brute force, dictionary or credential harvesting. It also prevents users from creating weak passwords like “password123” or simply adding an exclamation point when it’s time to update the password.

If you prefer a physical passkey, you can purchase a FIDO Alliance Yubikey and enroll the physical token as your Google passkey, which requires physically plugging in the token to your device and touching it for successful logins.

Touching the token means that someone is physically present at the computer, and that the credentials or account access attempt isn’t being generated by a bot.

Enabling passkeys do not share your private biometric data with Google, assures Arnar Birgisson and Diana K Smetters, of the Identity Ecosystems and Google Account Security and Safety teams.

“The only data shared with Google for this to work is the public key and the signature. Neither contains any information about your biometrics.”

Using the passkey unlocks the device locally. And unlike passwords, passkeys can only exist locally on your device. They can’t be written down, shared, or stolen by an online attacker.

If you’re still curious about the underlying technology and security of a passkey, be sure to read Google’s in-depth Passkey blog post.

Passkeys will change cybersecurity

Enabling passkeys broadly across Google and soon many other corporations will forever change cybersecurity. Google hopes it is the beginning of the end of the password.

“It’s very, very significant,” says Andrew Shikiar, executive director of the FIDO Alliance. “It’s an inflection point. A company like Google enabling this with so many people actually seeing passkey sign-ins, they’ll be more likely to use them elsewhere. And it will also accelerate other companies’ deployment plans and help them deploy better, because we will learn from this as a body.”

Passkeys are now supported by PayPal, Shopify, CVS Health, Kayak, and Hyatt, according to Wired.

Disclaimer: The author of this article is a current employee of Google. This article does not represent the views or opinions of his employer and is not meant to be an official statement for Google, or Google Cloud.


Discover more from Cybersecurity Careers Blog

Subscribe to get the latest posts sent to your email.