This illustration shows a shield and lock on a vector of the world.
Image: Google

Google Account holders can now use passkeys instead of passwords to log in, Google announced in a security blog post on Wednesday. It’s a potential sign that the tech industry is moving away from passwords as the most common way to sign in.

Jump to:

How are passkeys implemented?

Passkeys are cryptographic private keys, a unique identifier stored on your device. They operate under standards created by the Fast Identity Online Alliance and the W3C WebAuthn working group. Google receives a corresponding public key allowing them to open the door from the other side without a direct line to your device. The passkey is shared with Google websites and apps, but not beyond them.

SEE: Google, Microsoft and Apple’s work on the FIDO Alliance heralded this change last year.

“The signature proves to us that the device is yours since it has the private key, that you were there to unlock it, and that you are actually trying to sign in to Google and not some intermediary phishing site,” Birgisson and Smetters wrote.

What do passkeys mean for Google Accounts?

Passkeys may be biometric, such as a fingerprint or facial recognition, or a PIN. They replace passwords or two-factor authentication. They allow Google to confirm your identity without sharing that information internally, so that your device knows you’re authorized, but no information leaves that local check.

Once you’ve added a passkey to your account, Google will ask you for it when you sign in or perform certain secure actions. Your local device will perform the screen lock biometrics or ask for your PIN, ensuring that the passkey information is never shared with Google itself. The security enhancement comes from storing the passkey locally and keeping it from being visible to any third parties. Even if an attacker knows your Google Account address, the password won’t be stored alongside it.

Google Account holders will still be able to use passwords if they prefer or if their device doesn’t have support for biometrics or passkeys. Naturally, Google’s passkey feature won’t work on these devices. The option to use a passkey for sign in will still be available to you, and, conversely, passwords and two-factor authentication will still be viable ways to log in.

SEE: 1Password thinks passwordless is the future – but it might take decades to get there.

Different details for different devices

Since passkeys are associated with devices, not accounts, the way Google Account holders think about login might need to be a bit different if they activate the passkey. Users may have different passkeys for different devices or share between them in cases such as Apple’s where such sharing is built in. Some devices will prompt users to “use a passkey from another device” if appropriate.

There is one area in which this potentially makes accounts less secure, not more: If someone physically accesses your device, they could sign in with the passkey stored there.

Google weighed this risk too. The team concluded “most people will find it easier to control access to their devices rather than maintaining good security posture with passwords and having to be on constant lookout for phishing attempts,” wrote Arnar Birgisson and Diana K Smetters, Identity Ecosystems and Google Account Security and Safety teams, in the announcement post.

Why is Google changing to passkeys?

This change is being implemented to reduce the number of successful phishing attacks perpetrated against Google Account holders, the tech company said. It also prevents “SIM swapping” attacks that could come into play during SMS verification. While two-factor authentication cuts down on successful phishes, Google says they have found two-factor authentication to add “additional, unwanted friction” and to not protect against other types of attacks, like the SIM swap.