NEW! Sign In to Your Google Account with a Passkey = a Password-less Future

We’ve all seen them shared on social media: “Take this fun online quiz! Only 10% of people can get these Qs right!” But if a quiz asks for personal details, such as the name of the street you grew up on, X-out promptly. It’s likely to be a phishing scam to obtain your passwords via social engineering. Google has recently released new functionality to help with this persistent threat.

Secure Alternative to Passwords

In a blog cleverly titled, “So long passwords, thanks for all the phish,” Google announced that users can create and use passkeys on personal Google Accounts. When you do, Google will not ask for your password or 2-Step Verification (2SV) when you sign in.

Google describes passkeys as, “a simple and secure alternative to passwords,” that allow users to sign in by unlocking their computer or mobile device with their:

• Fingerprint
• Face recognition
• Local device screen lock, like a PIN

The passkey itself is stored on your local computer or mobile device, which will ask for your screen lock biometrics or PIN to confirm your identity. Biometric data is never shared with Google or any other third party – the screen lock only unlocks the passkey locally. Unlike passwords, passkeys can only exist on your devices. Passkeys are strong enough that they can stand in for security keys for users enrolled in Google’s Advanced Protection Program.

Read the support page for instructions and details on what devices, browsers, and settings are needed to create a passkey. For Google Workspace accounts, administrators will soon have the option to enable passkeys for their end-users during sign-in.

Password-less Future

Passkeys are a major step toward a “password-less future,” and provide the strongest protection against threats like phishing. A password combined with a secondary proof point via 2-step verification helps, but includes “additional, unwanted friction” for the user. It’s always been a struggle, but it’s progressing. 

While passkeys are not yet available for businesses, Google is pushing it out for use in personal accounts and it’s a great way for people to become familiar with it. The system is intended to make things easier for people and I think it’ll stop users from using poor passwords.

Is a Passkey More Secure?

It’s much stronger to move away from something that requires manual maintenance. When you can automate a security control, it’s preferable to asking a human to follow a process. I’m sure there will be new problems, but this makes me very happy as I don’t have to take a phone call to switch a password.

Google has slow-walked it to make sure they’re doing it right, but the real test is time. Years ago, companies had their key fobs compromised, and this will go through the same stress test as it gains popularity. 

Biometrics vs. Passwords

In 2022, 82% of breaches in the 2022 Verizon Data Breach Investigations Report (DBIR) involved the human element. “This puts the person square in the center of the security estate with the Social Engineering pattern capturing many of those human-centric events.”

Verizon defines social engineering as, “A psychological compromise of a person that alters their behavior into taking an action or breaching confidentiality.”

But biometrics eliminate the risk of stolen passwords. It’s hard to unintentionally “tell” someone your fingerprint, voice, or face ID.

Getting Started with Passkeys on your Google Account

When you create a passkey, you opt in to a passkey-first, password-less sign-in experience. Google cautions users to create passkeys only on personal devices that you control because anyone who can unlock the device can sign back in with the passkey.

Once you’ve added a passkey to your Google Account, you’ll be prompted to “enter” it to sign in or perform sensitive actions on your account. I put “enter” in quotes since it’s not exactly the precise verb to describe showing your face to a device.

Unlike passwords, passkeys can only exist on your devices, and therefore can’t be given to an attacker. Because of this strength, there’s no need for a secondary action to sign in.

You’ll still have the option to sign into a devise using your password. This is particularly important if you need to sign in to any device that doesn’t support passkeys. Google describes the “main ingredient” of a passkey as a cryptographic private key. Read the blog for more on how it works under the hood.To start using passkeys on your personal Google Account today, visit g.co/passkeys.