Google is rolling out passkey support for Google Accounts across all services and platforms, allowing users to sign in to their Google Accounts without entering a password or using two-step verification (2SV) when connecting.
“We’ve started rolling out support for passkeys in Google Accounts across all major platforms. This means users can now leverage passkeys across Google services for a great sign-in experience. without password”, said Google Product Managers Christiaan Brand and Sriram Karra.
Access keys are linked to each device (computers, tablets or smartphones) on which they have been added to the account and work locally by unlocking via PIN or screen lock biometrics (fingerprint or face identification).
They greatly reduce the risk of a data breach affecting other accounts and protect against phishing attacks that cannot use them to hijack accounts.
They provide a more secure and convenient alternative to passwords allowing you to use biometric sensors (e.g. fingerprint scanners, facial recognition), PIN codes or patterns to log in to websites and apps, eliminating the need to remember and manage passwords.
“This signature proves to us that the device is yours since it has the private key, that you were there to unlock it, and that you are in fact trying to log into Google and not some intermediary phishing site,” they said. Arnar Birgisson and Diana from Google. K Smetters said.
“The only data shared with Google for this to work is the public key and the signature. Neither of these contain any information about your biometric data.”
For now, security keys will be just another Google sign-in option to ensure you have a fallback method and can sign in with a password when you do not have access to your device or if it does not support security keys.
Security keys are securely backed up and synced to the cloud to prevent lockouts if you lose the device they were generated on and make it easy to upgrade to new devices. It works on all major web browsers and platforms (e.g. Windows, macOS, iOS, and ChromeOS).
For example, if you create a passcode on your iPhone, it will be available on your other Apple devices logged into the same iCloud account, with the same experience without a passcode.
Part of a no-password push that started years ago
Today’s announcement follows the introduction of access key support to the Chrome web browser and Android operating system in October 2022.
The two movers are part of a much larger effort to accelerate access key adoption and come on the heels of a joint announcement from May 2022 plans to support them as a passwordless login standard developed by the World Wide Web Consortium (W3C) and the FIDO Alliance.
Microsoft and Apple also pledged security key support in May 2022, making the new web authentication (WebAuthn) credentials (or FIDO credentials) the standard way to log into accounts without a password on the platforms of three tech giants.
Google, Microsoft and Mozilla backed up WebAuthn since April 2018when they announced their intention to support the new API in Chrome, Edge, and Firefox web browsers.
Abandoning password authentication will improve online security, as passwords are the most common target for attackers trying to hijack online identities.
“While we encourage users to try the convenience and security of passkeys, other methods such as passwords and 2SV will still work on Google Accounts,” Brand and Karra said.
“For Google Workspace accounts, administrators will soon have the ability to enable access keys for their end users upon login.”