Google will now actively encourage users to set up passkeys for their Gmail, YouTube, and other first-party accounts, effectively killing passwords.
Starting today, all Google account users will be asked to create passkeys for their accounts the next time they sign in to their Google accounts. This is a rather streamlined process – earlier, users had to go to g.co/passkeys to set them up. Google claims that passkeys can be up to 40% faster than traditional passwords.
This event is not surprising, given that Google has been a proponent of passkeys for some time. It initially pledged support for this technology in May 2022, with a subsequent announcement of passkey support in Android and Chrome. In May 2023, Google rolled out support for passkeys to Google account owners worldwide. This does not entirely kill passwords, though, and Google noted that users can still just use their password over passkeys by turning off the “Skip password when possible” option. If a device is lost, they can revoke Google Account passkeys in Settings.
“Since launching earlier this year, people have used passkeys on their favorite apps like YouTube, Search and Maps, and we’re encouraged by the results. We’re even more excited to see the growing adoption of passkeys across industry. Recently, Uber and eBay have enabled passkeys — giving people the option to ditch passwords when signing-in on their platforms — and WhatsApp compatibility will also be coming soon,” Sriram Karra, Senior Product Manager, and Christiaan Brand, Group Product Manager at Google, wrote in a blog post.
Passkeys represent a cutting-edge alternative to traditional passwords. They enable users to access their accounts using the same biometrics (like fingerprint or facial recognition) or PINs they use to unlock their devices. With passkeys, the need for memorizing complex passwords is eliminated, marking a significant step forward in simplifying the user experience and a significant stride towards a passwordless future.
The core idea behind passkeys is their resistance to phishing attacks, credential stuffing, keylogger malware, and the common problem of forgotten passwords. This robust security is achieved by splitting passkeys into two parts: one stored on the server (like Google’s) and the other on the user’s device. To gain access, both parts must match, providing strong authentication.
One crucial aspect of passkeys is their reliance on physical access to the user’s device. Even in the event of a server breach, hackers cannot remotely access accounts without access to the user’s device. This layer of protection significantly enhances security. Furthermore, traditional passwords are susceptible to phishing attacks, where users are tricked into revealing their credentials. Passkeys, with their split authentication mechanism, are inherently resistant to such tactics.