Google announced on Wednesday that users can now sign into their Google account using passkeys. The move is part of the company’s efforts towards passwordless authentication.
Unlike passwords, which can be compromised in phishing attacks, passkeys cannot be written down or stolen by threat actors. Passkeys are also more convenient because they make the login process easier, including by skipping the two-factor authentication (2FA) step.
Passkeys are stored on the user’s device and presented to Google to verify the user’s identity when they log in. Instead of entering a password, users are required to simply unlock their phone or computer using an authentication method such as a local PIN, fingerprint, or face recognition.
A passkey is a cryptographic private key whose corresponding public key is in Google’s possession. The passkey is unlocked locally and biometric data is not shared with Google or anyone else.
Google provides a simple explanation for how passkeys work:
“When you sign in we ask your device to sign a unique challenge with the private key. Your device only does so if you approve this by unlocking the device. We then verify the signature with your public key.
Your device also ensures the signature can only be shared with Google websites and apps, and not with malicious phishing intermediaries. This means you don’t have to be as watchful with where you use passkeys as you would with passwords, SMS verification codes, etc.
This signature proves to us that the device is yours since it has the private key, that you were there to unlock it, and that you are actually trying to sign in to Google and not some intermediary phishing site. The only data shared with Google for this to work is the public key and the signature. Neither contains any information about your biometrics.”
A unique passkey is created for each account, which means that an account protected by a passkey is not exposed in case a different account belonging to the same user is compromised.
Google noted that users will still be able to log into their account using passwords and other authentication methods.
“Passkeys are still new and it will take some time before they work everywhere, however creating a passkey today still comes with security benefits as it allows us to pay closer attention to the sign-ins that fall back to passwords. Over time we’ll scrutinize these more as passkeys gain broader support and familiarity,” the tech giant said.
Other tech giants, such as Apple and Microsoft, have also taken steps to enhance support for passwordless sign-ins.
Related: Google Brings Passkey Support to Android and Chrome
Related: Passkeys Now Fully Supported in Google Chrome