Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Passkeys Support Added to Google Accounts for Passwordless Sign-Ins

Google has added passkeys support to Google accounts on all major platforms as part of the company’s passwordless sign-in efforts.

Google announced on Wednesday that users can now sign into their Google account using passkeys. The move is part of the company’s efforts towards passwordless authentication.

Unlike passwords, which can be compromised in phishing attacks, passkeys cannot be written down or stolen by threat actors. Passkeys are also more convenient because they make the login process easier, including by skipping the two-factor authentication (2FA) step.

Passkeys are stored on the user’s device and presented to Google to verify the user’s identity when they log in. Instead of entering a password, users are required to simply unlock their phone or computer using an authentication method such as a local PIN, fingerprint, or face recognition. 

A passkey is a cryptographic private key whose corresponding public key is in Google’s possession. The passkey is unlocked locally and biometric data is not shared with Google or anyone else.

Google provides a simple explanation for how passkeys work: 

“When you sign in we ask your device to sign a unique challenge with the private key. Your device only does so if you approve this by unlocking the device. We then verify the signature with your public key.

Your device also ensures the signature can only be shared with Google websites and apps, and not with malicious phishing intermediaries. This means you don’t have to be as watchful with where you use passkeys as you would with passwords, SMS verification codes, etc.

Advertisement. Scroll to continue reading.

This signature proves to us that the device is yours since it has the private key, that you were there to unlock it, and that you are actually trying to sign in to Google and not some intermediary phishing site. The only data shared with Google for this to work is the public key and the signature. Neither contains any information about your biometrics.”

A unique passkey is created for each account, which means that an account protected by a passkey is not exposed in case a different account belonging to the same user is compromised. 

Google noted that users will still be able to log into their account using passwords and other authentication methods.

“Passkeys are still new and it will take some time before they work everywhere, however creating a passkey today still comes with security benefits as it allows us to pay closer attention to the sign-ins that fall back to passwords. Over time we’ll scrutinize these more as passkeys gain broader support and familiarity,” the tech giant said.

Other tech giants, such as Apple and Microsoft, have also taken steps to enhance support for passwordless sign-ins

Related: Google Brings Passkey Support to Android and Chrome

Related: Passkeys Now Fully Supported in Google Chrome

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.