News & Analysis

What the Phish! Bye-Bye Passwords

On the occasion of World Password Day, Google has started accepting passkeys, a cryptographic solution, instead of the password

Having kept all of us waiting for a long time, Google has eventually taken a step towards a password-less future. They announced that going forward users would only require passkeys, the cryptographic keys solution, across all its platforms. So, celebrate World Password Day today by ditching passwords and two-step verification for Passkeys! 

The cryptographic keys solution requires a pre-authenticated device that can now be used across all Google accounts on all major platforms. For quite some time, Google, Apple and Microsoft along with other tech companies that are part of the FIDO alliance have been pushing passkeys as a safer and convenient alternative to memory-numbing passwords. 

When passwords are limited to just one device

Proponents of passkey say these can replace traditional passwords and other sign-in options such as 2-factor authentication or SMS verification with a local PIN or Face ID. This biometric data is not shared with Google or any other third party, existing as they do only on the devices that one uses, thus making it more secure and protected against phishing attacks. 

By adding a passkey to a Google account, the platform begins prompting when one signs in or detects potentially suspicious activity that needs verification. Passkeys for Google accounts are stored on compatible devices such as iPhones running iOS16 and Android devices running version 9 and beyond. These can be shared to other devices using iCloud or a few password managers such as Dashlane. 

No worries! You can log in from another device too

Does this mean that one cannot use another person’s device temporarily to gain access to one’s Google account? Not really! All one needs to do is select the “use a passkey from another device” option and create a one-time sign-in without having to transfer the passkey over to the new piece of hardware.  

In fact, Google has waxed eloquent about how one should never create passkeys on a shared device because anyone who gets access and can unlock the device would have access to the Google account. Of course, one can revoke passkeys in Google account settings if there is a suspected attack, or the account was shared in the past or if the device is lost or stolen. 

The company has once again exhorted users to enroll in its Advanced Protection Program, a free of charge service that provides additional security protections against phishing attacks and malicious apps. These users can choose to take up passkeys in lieu of their usually physical security keys. 

Google, Apple, Microsoft are promoting Passkeys

“We’re thrilled with Google’s announcement today as it dramatically moves the needle on passkey adoption due both to Google’s size, and to the breadth of the actual implementation — which essentially enables any Google account holder to use passkeys,” said Andrew Shikiar, executive director of FIDO Alliance, in a statement.

“I also think that this implementation will serve as a great example for other service providers and stand to be a tipping point for the accelerated adoption of passkeys,” he said. Google is aware that it may take some time for passkey support to be widely adopted, so the company would continue to support the existing login methods such as passwords in the near future. 

What this means is users who are not currently having a device supporting biometric authentication, would get time to transition to such a handset and adopt the new technology. However, Google is sure that they would eventually shift over completely to passkeys. The blog post also noted that it would test out other sign-in methods while passkeys become popular.

Last December, Google’s Chrome browser gained passkey support though websites with such support are quite limited for now. This makes things tougher for the company to go totally password free but help come be at hand. 1Password, a service that should launch soon, has a page suggesting the websites that support passkeys. 

Leave a Response