3 min Security

Google finally adds passkeys: ‘beginning of the end for passwords’

Google finally adds passkeys: ‘beginning of the end for passwords’

Following in the footsteps of Apple and Microsoft, Google has also opted to introduce passkeys. The company announced via its security blog how users can enable the new feature. Not all websites currently support the login method, but Google’s support may change this.

Google is certainly not the first party to come up with passkeys. Apple announced the functionality in late 2022 and Microsoft is also working on it. In addition, password manager 1Password has had support for the strong security method since its acquisition of passkey startup Passage.

Operation

The security concerns around passwords are well known: they can be predictable, they may be re-used too often or leaked directly. MFA (multi-factor authentication) is more secure, but has its limitations. Unlike traditional passwords and MFA, the login method relies on biometric data, such as a fingerprint or iris scan. Through this method, the passkey thus depends on the same technology that allows secure and personalized access to smartphones. Remembering a password will therefore possibly become a thing of the past. In other words, you’re no longer reliant on what you know (password) and have (the hardware you log in with), but on what you have and what you are (biometric data).

In mid-October, Google started working on passkeys in beta form. It began by releasing initial passkey support for developers. The company announced support for other environments, such as Android apps and Google Chrome last December.

For more information, read: What are Passkeys? Removing the human element from authentication

Positive

Passkeys are based on a standard defined by the FIDO Alliance and the World Wide Web Consortium. FIDO director Andrew Shikiar applauds Google’s decision to join this standard. “We’re thrilled with Google’s announcement today as it dramatically moves the needle on passkey adoption due both to Google’s size, and to the breadth of the actual implementation — which essentially enables any Google account holder to use passkeys.”

Google says it plans to move entirely to passkeys in the longer term. This will eventually make passwords a thing of the past, and with them the myriad security dangers they pose. According to NordVPN initiative NordPass, careless use of passwords accounts for more than 80 percent of data breaches by 2022. Examples include easily guessed or repeated password choices and storing them in browser cookies.

Anti-phishing

Google refers in the title of the security blog to the extra security that passkeys provide against phishing. Many scammers succeed in robbing their victims by posing as someone else, such as a bank or government agency. Users who click on the phishing e-mail link are usually redirected to a fake version of a legitimate website. The unsuspecting victim enters the login credentials, thus handing over the information the scammer is looking for. By relying solely on passkeys, this is theoretically impossible because a party like Google only provides its passkey support to verified platforms.

What then is the importance of a password manager? As mentioned earlier, a party like 1Password can integrate the functionality into its services, making those services more secure as well. As long as there are still Web sites that lack passkey support, such a service remains extremely useful. In addition, it is many times safer than automatically storing passwords in the browser, as they can be picked up by cybercriminals via stealing cookie data or through the presence of malware.