Google has announced that users can now create and use passkeys on personal Google accounts, marking another leap towards a potential passwordless future for businesses.
In an announcement this week, the tech giant revealed that users will be able to ditch their traditional passwords and two-factor authentication processes when signing into accounts.
Google said the move will provide users with a “more convenient and safer alternative to passwords” by allowing them to unlock their computer or mobile device using biometric technologies such as facial recognition, or by using a local pin.
“Using passwords puts a lot of responsibility on users,” the company said in a statement. “Choosing strong passwords and remembering them across various accounts can be hard.”
This announcement from Google follows significant movement among major tech firms on the development and rollout of passkeys.
Microsoft, Apple, and Google have all committed to providing passkeys in recent years, and have been working closely with the FIDO Alliance and World Wide Web Consortium to deliver more standardized forms of passwordless authentication.
In June last year, Apple announced the launch of its Passkey standards at its Worldwide Developer Conference (WWDC).
The move meant that users could use passkeys on supported devices using macOS Ventura, iOS 16 and onward, and iPadOS 16 and onward.
What are passkeys?
A passkey is a method of passwordless login for users. This form of login standard relies on public key cryptography and is thought to offer huge benefits in preventing phishing attacks.
A private key will be generated and stored on a user’s device and a corresponding public key is uploaded to the cloud.
Build vs. buy: Is managing Customer Identity slowing your time to market?
Why identity should be top of mind
Separate key pairs are created for each service provider, such as Apple, Google, or Microsoft, for example.
When logging in using a passkey, a device will request that the user identifies themselves with their own private key, which is then verified via the public key.
Private keys stay on your devices, and in some cases only stay on the device it was created on, meaning that users aren’t forced to remember myriad passwords and navigate 2FA protocols when logging in.
The method is seen as a strong defense against phishing attacks as the attacker would need physical access to the unlocked device in order to login to a victim’s account.
It builds on the previous gold standard of 2FA implementations: using passwords combined with hardware keys, which prevent cases of MFA fatigue, for example.
There are certain drawbacks to passkey authentication, especially in the event that a user loses their device. However, this isn’t as disastrous as some might think.
Some organizations, such as Apple, allow users to create a passkey on their iPhone which is cross-functional with other Apple devices and linked to iCloud.
This is specifically designed so that users can avoid being locked out of their accounts if they lose a particular device and enables a more seamless experience for users when upgrading or switching to newer hardware.
Google also has similar protocols in place which are linked to an individual’s Google Account. For example, if a device with a passkey is lost and at risk, Google allows users to “immediately revoke the passkey” via their account settings.
“If your device supports the option to remotely wipe it, consider doing that as well, especially if it also has passkeys for other services,” the firm said.
Google said it recommends users have a recovery phone and email for an account, which increases the chance of recovery in the event of a device being lost.
The business advantages of passkeys
There are a number of advantages to using passkeys, with security and convenience among the most commonly highlighted.
The FIDO Alliance believes that passwordless authentication standards will unlock significant benefits with regard to security.
“Based on FIDO standards, passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices,” according to a FIDO Alliance explainer. “Unlike passwords, passkeys are always strong and phishing-resistant.”
Millions of businesses worldwide still rely on using traditional passwords and multi-factor authentication techniques to keep them safe. But often this isn’t quite enough to keep them secure, as research shows.
Earlier this year, Authlogics, a provider of password security technologies, issued a warning over the growing scale of exposed account passwords.
The UK-based firm revealed that its Password Breach Database had reached a concerning landmark number of more than 5 billion compromised credentials.
Research from threat intelligence firm SpyCloud in March revealed that organizations globally still maintain a “rampant” practice of password reuse, which poses significant risks for businesses.
Nick France, Chief Technology Officer at Sectigo, said that, broadly speaking, passkeys represent a far more secure mode of authentication compared to traditional methods.
“While no system is perfect, the passkey strategy is fundamentally more secure than the old password system,” he said.
“Communication across the open internet is managed by unbreakable cryptographic keys, which are among the most secure computing standards we have.”
Similarly, Google’s view is that the inherent nature of passkeys lends itself to improved security. Unlike passwords, passkeys can only exist on a user’s device.
This means they cannot be written down and misplaced, or end up in the hands of a bad actor due to phishing techniques.
Given the increasing scale of phishing attacks in recent years, the continued rollout of passkeys offers businesses a key advantage in mitigating these risks.
“When you use a passkey to sign in to your Google Account, it proves to Google that you have access to your device and are able to unlock it,” Google said.
“Together, this means that passkeys protect you against phishing and any accidental mishandling that passwords are prone to, such as being reused or exposed in a data breach.”
Cost benefits are also a key factor in the popularity of passkeys among businesses.
Because passkeys are linked to a user's device, this reduces the IT-related red tape associated with password resets in corporate environments in the event that a user forgets one of many passwords, or if the account is compromised.
Analysis from Okta shows that costs accrued from password resets reach up to $70 on average, which in larger enterprises could add up to a significant overall cost each year.
