You can now log into your Google using passkeys. Google added the ability in what’s arguably the single biggest step in encouraging use of an authentication technology designed to fix the abundant shortcomings of passwords.
Passkeys — developed by Apple, Microsoft, Google and other allies — use a strong cryptographic security foundation that anchors your logon privileges to your phone or computer. There’s no obscure string of letters, digits and punctuation characters to remember. Passkeys usually use a biometric authentication step like fingerprint or facial recognition, though other options are possible.
Google already built passkey support into its Android phone software and Chrome web browser, but it wasn’t until Wednesday, the day before World Password Day, that it announced you could use passkeys to log on to Google websites. For now, passkeys work alongside other login methods, so you can try them out without jettisoning your previous other authentication methods like passwords or hardware security keys.
If passkeys succeed as hoped, it’ll be secure and easy enough to use that it’ll wipe out passwords completely. Given how many millions of us use Gmail, YouTube and Workspace, passkey support on Google services is a major moment for the technology.
“Passkeys are the beginning of the end for passwords,” Christiaan Brand and Sriram Karra, two Google executives who oversaw the project, said in a blog post Wednesday.
In my passkey tests, I was able to easily create a passkey on my main Android phone and extend that credential to my Mac and then my iPhone. My existing authentication options — hardware security keys, an authenticator app, and prompts within Google apps — are still available.
Passwords are familiar but not easy to use well. We pick guessable passwords that hackers can crack. We reuse passwords across multiple apps and services, so stolen credentials can be used in “credential stuffing” attacks to break into other accounts. We bolster passwords with dual factor authentication, but that’s got its own problems, especially with login codes sent by text message.
Passkeys are designed to sidestep all this. They’re based on cryptographic standards that protect e-commerce transactions and network communications, repurposed by the Fast Identity Online Alliance for use in authentication. The FIDO Alliance got its start with hardware security keys, the strongest mainstream authentication technology around, but repackaged it as passkeys in an attempt to make it easier and cheaper to use.
Although passkeys are new, a few sites beat Google with login support. Among the companies offering passkey login are eBay, Docusign, PayPal and Shopify.
As with hardware security keys, login credentials are set up to work with an app or website’s service. Your phone or computer does the actual authentication locally on its own hardware. That thwarts one of today’s biggest security risks, phishing attempts that try to get you to share your credentials or other sensitive information with fake websites.
You can set up passkeys on multiple devices. And if you’re signing on temporarily using your friend’s phone or a public library computer, Google offers a QR code scanning mechanism that lets you log in temporarily without permanently storing your passkey.
Password managers warm to passkeys
One complication of passkeys is that they are, for now at least, anchored to specific tech ecosystems — chiefly Apple and Google. For example, when you establish a Google passkey on an Android phone, Google automatically generates passkeys on other Android devices, but not on your iPhone.
But password manager makers Bitwarden, LastPass, Dashlane and 1Password are now active at the FIDO Alliance, working on technology to let you export and import passkeys. It’s not clear how simple that process will be, however, and although Google has expressed support for the idea, Apple has been quiet.
“With Google turning on passkey support today, 1.5 billion people around the world now have the opportunity to adopt passkeys,” 1Password CEO Jeff Shiner said in a statement Wednesday. “In order to be widely adopted though, users need the ability to choose where and when they want to use passkeys so they can easily switch between ecosystems.”
“By eliminating the master password, Dashlane will empower users to create new phishing-resistant, passwordless accounts that don’t suffer from the vulnerabilities of traditional passwords and multifactor authentication,” the company said, arguing that passkeys are also easier to use than passwords.