Passwords are becoming a thing of the past. For the past few years, Microsoft, Apple, and Google have been openly committed to a passwordless future, announcing plans to expand support for passwordless sign-in technologies created by the FIDO Alliance and the World Wide Web Consortium. Passkeys are a vital tech in this shift, as they provide a faster, more efficient, and safer way for users to sign into their devices and accounts.
On October 10, 2023, Google took another big leap in the transition to passkeys. In celebration of Cybersecurity Awareness Month, the company announced that users can now switch to passkeys and make them the default sign-in option across their personal Google Accounts.
Faster, better, safer: The benefits of passkeys
Google began offering passkeys for some users last year. The company assured that the feedback they received was positive and allowed them to move to the global rollout. Companies like Uber and eBay have also enabled passkeys, and WhatsApp is expected to join soon.
From a user’s perspective, signing in with a passkey is as simple as using a face scan or fingerprint ID to unlock a device.
- 40% faster than passwords
- A more secure authentication technology based on a type of cryptography
- Phishing resistant
- A simple way to sign in (users don’t have to remember passwords made of numbers, special characters, and letters)
- More secure than SMS one-time codes
- Work with biometrics (fingerprint or facial recognition) or lock PINs
Okay, but what exactly are passkeys?
With so many different authentication technologies in play, it is easy to be confused about what exactly passkeys are. Google Security expert Christiaan Brand recently explained passkeys’ security and features in a Google Blog post.
“A passkey is a FIDO credential stored on your computer or phone, and it is used to unlock your online accounts,” Brand said. “It works using public key cryptography, and proof that you own the credential is only shown to your online account when you unlock your phone.”
Brand assures that passkeys will replace passwords. Users will just need to unlock their phones to get into their accounts.
Brand goes even further and says that passkeys will replace all the “band-aids” the industry created to deal with password vulnerabilities. This means, according to the expert, that one-time codes, password managers, authentication apps, SMS and push notifications, and multi-factor authentication (MFA) will soon be a thing of the past.
How authentication works with private passkeys
Technically, passkeys are a public key cryptography technology. The tech was initially developed in the 1970s and built into the World Wide Web in the 1990s. Known as secure sockets layer (SSL), these public keys were used to authenticate websites and secure user privacy.
Today, all respectable websites have transport security layer (TSL) technology, which replaced SSL. “It is how you can identify whether a website is authentic and what it claims to be,” Brand said.
Passkeys are similar to TSL. Instead of verifying systems or websites, passkeys verify that a user has the corresponding private key on their device. Passkey cryptography not only confirms that a user’s device has the passkey but also confirms that the user is in possession of that device through biometrics.
“That’s the magic of public key cryptography,” said Brand. “It can validate you without knowing anything about you. It just confirms you are who you say you are.”
How can I enable passkeys on my Google Account?
First off, only create a passkey on a device that you own and control. And before enabling passkey authentication, be aware that if your account has 2-Step Verification or is enrolled in the Advanced Protection Program, you will bypass your second authentication step by signing in with a passkey.
Additionally, if your account was provided to you by your school or your company, you will not be able to use passkeys at this time.
Passkey requirements are:
- Devices running at least Windows 10, macOS Ventura, or ChromeOS 109
- Smartphones operating at least iOS 16 or Android 9
- Web browsers Chrome 109 or up, Safari 16 or up, or Edge 109 or up
- Devices must have Screen Lock enabled and Bluetooth if you want to use a passkey on a phone to sign in to another computer
To enable passkeys as your default sign-in for your Google Account:
- Go to http://g.co/passkeys.
- Click on “Get passkeys.”
- Click on Create a passkey and choose Continue.
- Follow the on-screen instructions.
- You may be asked to unlock your device.
You can also access passkeys by going to myaccount.google.com and going to Security. Then scroll down and click on Passkeys.
You can also use a passkey on your mobile or tablet device to sign in to your computer. Once passkeys are enabled on your computer, you will see a QR code appear on the screen. Scan it with your mobile phone’s camera to sign in for the first time.
Finally, make sure the option to “Skip password when possible” is enabled.
What happens if I change devices? What if I lose my phone or it gets stolen?
Because passkeys are backed up and synced across devices under the same Google Account, when you replace your smartphone or device, your passkeys remain with you.
If your device is lost or stolen, you can still log in to your Google Account using another device that has access to your account. Once there, you can go to Security and the Passkeys and remove the passkey associated with your lost or stolen device. The same step-by-step process applies if you decide to opt out.
I don’t want to use a passkey. How do I opt out?
Removing or opting out from passkeys is simple. All you have to do is follow these steps.
To remove or opt out of passkeys:
- Go to your Google Account.
- Select Security.
- Under Signing in to Google, tap Passkeys.
- Select the passkey you want to remove.
- Tap the X icon.
The end of passwords
Passwords cause a wide range of headaches and pains. Not only are they easily forgotten, but they can be stolen and sold on the dark web. Plus, they are time-consuming, phishing-vulnerable, and so insecure that they work only in combination with MFAs.
While the passwordless future isn’t quite here yet, the world is slowly and steadily moving in that direction. And it does make sense. Modern times demand that technology be easy to use, extremely safe, and personal. However, don’t expect passkeys to replace passwords overnight.
Overall, we look forward to the day when passwords are fully replaced by a seamless, more private, and safer authentication technology.
This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Google LLC. Google Account is a trademark of Google LLC.