Google rolls out passkeys in service of passwordless future

Google referred to its new passkey option, which features facial recognition, fingerprint and PIN-based authentication, as 'the beginning of the end of the password.'

Google rolled out a new passkey option Wednesday that the tech giant referred to as "the beginning of the end of the password."

Passkeys are a form of user authentication that has existed in various forms for well over a decade. Passkeys typically take the form of biometric data stored locally on the user's device and are considered one of the authentication methods most resistant to threat activity. Many cybersecurity companies and authentication experts also consider passkeys to be a primary alternative to usernames and passwords.

Google's passkeys, which are now available to all the vendor's users, include three options: a PIN, facial recognition or fingerprint authentication. When the feature is enabled, Google will ask for authentication whenever a user signs in or attempts to access sensitive information.

According to a Google Security Blog post published alongside the announcement, passkeys are stored locally on the user's computer or mobile device.

"Biometric data is never shared with Google or any other third party -- the screen lock only unlocks the passkey locally," the blog read.

The post, cowritten by Google engineers Arnar Birgisson and Diana Smetters, argued that passwords put "a lot of responsibility on users" and are at risk of falling into the hands of threat actors.

"Choosing strong passwords and remembering them across various accounts can be hard," they wrote. "In addition, even the most savvy users are often misled into giving them up during phishing attempts. 2SV (2FA/MFA) helps, but again puts strain on the user with additional, unwanted friction and still doesn't fully protect against phishing attacks and targeted attacks like 'SIM swaps' for SMS verification. Passkeys help address all these issues."

Birgisson and Smetters added that passkeys are strong enough protection that Google allows users to skip password login and two-step verification when a passkey is enabled. Moreover, they said, "passkeys are strong enough that they can stand in for security keys for users enrolled in our Advanced Protection Program."

In a second blog post titled "The Beginning of the End of the Password," Google product managers Christiaan Brand and Sriram Karra wrote that although the passkey rollout is a step away from passwords, users will still be able to choose traditional passwords and two-step verification because "like any new beginning, the change to passkeys will take time."

Google's passkey introduction is part of the company's previously announced strategy to begin phasing out usernames and passwords in favor of stronger authentication systems to better protect accounts. Last May, Google joined Apple and Microsoft in expanding support for the Fast Identity Online Alliance's FIDO2 standard, a passwordless authentication specification that is the basis of Google's passkey option.

Jack Poller, a senior analyst at TechTarget's Enterprise Strategy Group, said in an email that the transition to passwordless authentication is "definitely picking up steam" and that Google's implementation is "very simple and easy to use."

"Google's rollout of passkey support, alongside Apple and Microsoft, ensures that the fundamental components of FIDO-based passwordless authentication are available across all major platforms," he said. "Now, developers can add passwordless authentication to apps and websites with full confidence that users can switch to passwordless while using all major browsers, laptops and mobile devices."

Poller said he expects passkeys will see rapid user adoption by the end of the year. At RSA Conference 2023, 1Password CEO Jeff Shiner told TechTarget Editorial that his company is embracing passkeys. He added that 75% of those surveyed in a new study conducted by the password manager were ready to use passkeys, though passwordless adoption will still "take a number of years."

Google has not responded to TechTarget Editorial's request for comment at press time.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Next Steps

Google Authenticator synchronization raises MFA concerns

Dig Deeper on Identity and access management