You can now log into your Google using passkeys. Google added the ability in what’s arguably the single biggest step in encouraging use of an authentication technology designed to fix the abundant shortcomings of passwords.
Passkeys — developed by Apple, Microsoft, Google and other allies — use a strong cryptographic security foundation that anchors your logon privileges to your phone or computer. There’s no obscure string of letters, digits and punctuation characters to remember. Passkeys usually use a biometric authentication step like fingerprint or facial recognition, though other options are possible.
Google already built passkey support into its Android phone software and Chrome web browser, but it wasn’t until Wednesday, the day before World Password Day, that it announced you could use passkeys to log on to Google websites. For now, passkeys work alongside other login methods, so you can try them out without jettisoning your previous other authentication methods like passwords or hardware security keys.
If passkeys succeed as hoped, it’ll be secure and easy enough to use that it’ll wipe out passwords completely. Given how many millions of us use Gmail, YouTube and Workspace, passkey support on Google services is a major moment for the technology.
“Passkeys are the beginning of the end for passwords,” Christiaan Brand and Sriram Karra, two Google executives who oversaw the project, said in a blog post Wednesday.
Passwords are familiar but not easy to use well. We pick guessable passwords that hackers can crack. We reuse passwords across multiple apps and services, so stolen credentials can be used in “credential stuffing” attacks to break into other accounts. We bolster passwords with dual factor authentication, but that’s got its own problems, especially with login codes sent by text message.
Passkeys are designed to sidestep all this. They’re based on cryptographic standards that protect e-commerce transactions and network communications, repurposed by the Fast Identity Online Alliance for use in authentication. The FIDO Alliance got its start with hardware security keys, the strongest mainstream authentication technology around, but repackaged it as passkeys in an attempt to make it easier and cheaper to use.
Although passkeys are new, a few sites beat Google with login support. Among the companies offering passkey login are eBay, Docusign, PayPal and Shopify.
As with hardware security keys, login credentials are set up to work with an app or website’s service. Your phone or computer does the actual authentication locally on its own hardware. That thwarts one of today’s biggest security risks, phishing attempts that try to get you to share your credentials or other sensitive information with fake websites.
You can set up passkeys on multiple devices. And if you’re signing on temporarily using your friend’s phone or a public library computer, Google offers a QR code scanning mechanism that lets you log in temporarily without permanently storing your passkey.