Google has announced that users can create and use passkeys on personal Google accounts in place of passwords. This is obviously a first step before this improved security system is rolled out across all Google platforms.
ย
What is Passkey Security?
Passkeys are a more convenient and safer alternative to passwords. They work on all major platforms and browsers, and allow users to sign in by unlocking their computer or mobile device with their fingerprint, face recognition or a local PIN.
Passwords, as many users know, are flawed: it's hard to remember complex ones, and even so people can be tricked by phishing emails to give them away, or just leave them on a Post-It attached to the computer.
ย
Creating passkeys on your Google Account
When users add a passkey to a Google Account, the login will start asking for it when you sign in or perform sensitive actions on that account. The passkey itself is stored on your local computer or mobile device, which will ask for your screen lock biometrics or PIN to confirm it's really you. Biometric data is never shared with Google or any other third party โ the screen lock only unlocks the passkey locally.
Unlike passwords, passkeys can only exist on users' own devices. They cannot be written down or accidentally given to a bad actor. When you use a passkey to sign in to your Google Account, it proves to Google that you have access to your device and are able to unlock it. Together, this means that passkeys protect users against phishing and any accidental mishandling that passwords are prone to, such as being reused or exposed in a data breach. This is stronger protection than most 2FA methods which send a code to your mobile device. So you don't need the password but or 2FA when you use a passkey. In fact, passkeys are strong enough that they can stand in for security keys for users enrolled in Google's Advanced Protection Program.
Creating a passkey on your Google Account makes it an option for sign-in. Existing methods, including the old password, will still work in case you need them, for example when using devices that don't support passkeys yet. Passkeys are still new and it will take some time before they become commonplace and accepted by users. However, creating a passkey today still comes with security benefits as it allows Google security to pay closer attention to the sign-ins that fall back to passwords.
This is a welcome development in the face of constant attempts to hack the security of utility systems and we will see how passkeys develop as a common security system in future.