Google is Rolling out Passkeys to Make Passwords a Relic of the Past

Published on may 11, 2023

The company has begun rolling out passkey support across its Google Accounts across all major platforms. Passkeys will be available in addition to pre-existing authentication methods, such as passwords and two-step verification.

Google claims that passkeys provide a more convenient and secure method of authenticating users.

It is notoriously difficult for users to manage their passwords, since they must create and remember a variety of strong passwords for each service they use. Despite their strength, passwords do not adequately protect users against the possibility of phishing and are increasingly being used alongside two-factor authentication (2FA), a security mechanism that has its own drawbacks, as well as an additional mechanism to protect against phishing attacks.

A passkey is a cryptographic private key that is stored on a user’s device, while a public key is uploaded to Google. When a user attempts to sign in to Google using a passkey, Google will ask their device to sign a challenge using the private key.

The challenge can only be signed if the user unlocks their device, a step that can leverage advanced biometric hardware available on many devices, including fingerprint and face recognition. An alternative is to use a PIN. According to Google, biometric data is not shared outside of the signing device. Only the public key and signature are sent out.

Google has also defined a mechanism to use your phone to sign in on another device, which is particularly useful when accessing your account from a shared device. If the user authorizes the device, then the device will first verify that the phone is nearby using Bluetooth, and then it will present a QR code the phone can scan and use to generate a one-time passkey signature. Passkeys and biometric data are not received by the new device.

Passkeys reside on individual devices, and each device must obtain its own passkey, which can be cumbersome. Passkeys can be shared across all of your devices to circumvent this issue. For a seamless experience, users can rely on iCloud Keychain for Apple devices and Google Password Manager for Android and Chrome devices. Google does not provide a universal mechanism for this. As a result, sharing a passkey cannot be done across, for example, iPhone and Android devices, unless a third-party SSH key manager is used. It is noteworthy that Microsoft does not provide an official solution for sharing secrets across Windows devices.

In order to create a passkey for your Google account, you will need to use a dedicated domain for the time being.

In the last year, Google has worked with Apple and Microsoft to define standard approaches for passwordless authentication, including FIDO and W3C WebAuthn.