Identity, Distributed Workforce, Application security

Google adds passkeys for user accounts; ‘passwords are dead,’ official says

Fingerprint scan provides security access with biometrics identification concept.

Google rolled out passkeys for user accounts on May 3 as part of its planned effort to provide secure access to its platforms without the use of passwords. 

“Passwords are dead. May we never have to see them, remember them, or type them,” the passkey project lead Christiaan Brand, Google’s identity and security product manager, made the announcement on Twitter.

Passkeys are designed to eventually replace passwords, as they’re viewed as a more secure authentication method than passwords. The method enables users to sign into apps and sites using the same authentication to unlock devices with a face scan, fingerprint or PIN.

Noting the shift to passwordless-authentication will take time, passwords and 2SV will continue to work on Google accounts, for now. Administrators of Google Workspace accounts will be provided the option to enable passkeys for end-users at sign-on in the near future.

Google announced the planned passkeys rollout last year, as a collaboration with FIDO Alliance, Apple, and Microsoft. The passkey project focused on adding the authentication method to Chrome and Android and its services like Docusign, Kayak, PayPal, Shopify and Yahoo! Japan.

Brand touted the importance of passkeys at the RSA 2023 Conference last week in San Francisco, noting the passkey plan began nearly 10 years ago in hopes of shifting “the world away from passwords.”

“We are finally at the mass point where a shift away from passwords to passkeys is starting to happen,” said Brand. “That means we can start to move away from the legacy Band-Aids we’ve used for passwords over the years, things like two-factor authentication and multi-factor authentication.”

“Those [tools] are Band-Aids we put on our passwords because they didn’t live up to the expectation that we had for them,” he continued. “Passkeys are kind of a clean slate. At the same time, it's a migration away from all the hassles regarding passwords.”

Passkeys are much more secure, like a purposeful framework built on a strong foundation, he explained. The tool should be considered an alternative to these customized authentication solutions that are still based on the password model. Most of these alternatives are just “passwords with additional layers on top.”

The goal of passkeys is to mimic the manner in which everyone leverages transport layer encryption, Brand explained. TLS is built right into the platform, he continued: “There's not even a conversation about it, we use TLS, and that's the end of the story.”

The tool is made up of a public key and private key, which solves the issue of password reuse and less data loss when there’s a breach. Brand stressed that the public-private key credentials are phishing resistant, as they aren't credentials with a single string — it’s a cryptographic key.

“There’s no way that the user can read part of the cryptographic key from the device,” he explained.

The use must be physically present on both the phone, which is used for pairing, and the device in which they’re attempting to log-on.

But like all new technology, the journey to broad adoption of passkeys will take time, as users and administrators work to adapt. Brand is hopeful that we’re on the right path to accomplish password replacements, which will take time and investment from more companies in this space.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.