Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Passkeys Support Added to Google Accounts for Passwordless Sign-Ins

Google has added passkeys support to Google accounts on all major platforms as part of the company’s passwordless sign-in efforts.

Google announced on Wednesday that users can now sign into their Google account using passkeys. The move is part of the company’s efforts towards passwordless authentication.

Unlike passwords, which can be compromised in phishing attacks, passkeys cannot be written down or stolen by threat actors. Passkeys are also more convenient because they make the login process easier, including by skipping the two-factor authentication (2FA) step.

Passkeys are stored on the user’s device and presented to Google to verify the user’s identity when they log in. Instead of entering a password, users are required to simply unlock their phone or computer using an authentication method such as a local PIN, fingerprint, or face recognition. 

A passkey is a cryptographic private key whose corresponding public key is in Google’s possession. The passkey is unlocked locally and biometric data is not shared with Google or anyone else.

Google provides a simple explanation for how passkeys work: 

“When you sign in we ask your device to sign a unique challenge with the private key. Your device only does so if you approve this by unlocking the device. We then verify the signature with your public key.

Your device also ensures the signature can only be shared with Google websites and apps, and not with malicious phishing intermediaries. This means you don’t have to be as watchful with where you use passkeys as you would with passwords, SMS verification codes, etc.

This signature proves to us that the device is yours since it has the private key, that you were there to unlock it, and that you are actually trying to sign in to Google and not some intermediary phishing site. The only data shared with Google for this to work is the public key and the signature. Neither contains any information about your biometrics.”

Advertisement. Scroll to continue reading.

A unique passkey is created for each account, which means that an account protected by a passkey is not exposed in case a different account belonging to the same user is compromised. 

Google noted that users will still be able to log into their account using passwords and other authentication methods.

“Passkeys are still new and it will take some time before they work everywhere, however creating a passkey today still comes with security benefits as it allows us to pay closer attention to the sign-ins that fall back to passwords. Over time we’ll scrutinize these more as passkeys gain broader support and familiarity,” the tech giant said.

Other tech giants, such as Apple and Microsoft, have also taken steps to enhance support for passwordless sign-ins

Related: Google Brings Passkey Support to Android and Chrome

Related: Passkeys Now Fully Supported in Google Chrome

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.