Google Takes a Bold Step Into a Future Without Passwords
Toggle Dark Mode
For the past few decades, passwords have been the most common way to secure your online accounts. While secondary authentication measures like one-time passwords and two-factor authentication have come into play in recent years, your password is still your first line of defense against intrusion.
However, passwords are also the weakest link in your security chain — for several reasons. Firstly, many people choose simple and common passwords that are easy to remember — and easy for hackers to guess — while some systems force users to create such cumbersome passwords that they’re more likely to forget them. This results in passwords being jotted down insecurely in daytimers and post-it notes stuck on note boards and computer screens.
Then there’s the problem of password reuse. Unless you’re a person who is overly security conscious, chances are you’ve used the same password on more than one online service. In fact, studies have shown that nearly two-thirds of people use the same password for multiple online services, and many use one password for everything from online banking to fly-by-night shopping sites. All it takes is one massive data breach, and those passwords are out in the wild, ready for criminal hackers to employ in attacking every other site where they may have been used.
Lastly, even if you’re diligent enough to use a unique password on every site you visit, you could still fall prey to a phishing attack where a scammer tries to get you to divulge your password by luring you to a fake website that looks like Apple, Amazon, or your online bank.
It’s failings like these with the humble password that have created the need for secondary authentication methods, such as additional six-digit codes sent to your phone to confirm that it’s really you that’s logging in. However, even these aren’t foolproof; criminals have turned to “SIM-jacking” attacks to intercept those SMS codes and gain access to more sensitive accounts. Further, SMS passwords are still vulnerable to phishing attacks since a fake site can trick you into disclosing that as well.
While other methods like physical security keys and Google Smart Lock are considerably more secure, these can also be more complicated to set up and more cumbersome to use.
However, the reality is that two-factor authentication methods are just a band-aid — an attempt to “solve the solution” of using passwords rather than solving the problem with passwords, which is that they’re inherently a flawed idea.
Enter passkeys
Big tech companies know this, and they’ve been working behind the scenes for years to eliminate the need for traditional passwords. However, that’s no small ambition; passwords have been wired into our public consciousness, and thousands of systems worldwide are built to use those as the primary means of authenticating users.
The driving force behind this project is the Fast Identity Online (FIDO) Alliance, an industry coalition that’s made up of an eclectic group of companies that includes tech giants like Apple, Amazon, Google, Meta, and Microsoft, as well as financial heavyweights like AMEX, Mastercard, and VISA, and companies like 1Password, LastPass, Fetian, and Yubico, which specialize in both software and hardware authentication.
The FIDO Alliance has already developed several standards for two-factor physical security keys over the years. Still, one of its ultimate goals is to eliminate the need for a second factor by making the first factor much more secure by creating something called a “passkey.”
Last year, that initiative got a big boost when Apple added support for passkeys in iOS 16 and macOS Ventura. Now, Google is taking the first step to use that new technology to eliminate passwords entirely.
There are already several sites that support Apple’s passkeys, but most use this as a secondary authentication method. In other words, you can use your iCloud passkey in Safari after you enter your normal password as if it were a physical security key. While that adds a lot of extra security, you still need to enter your password.
However, Google is now ready to use passkeys as the sole means of authentication for all your Google Services. In a blog post appropriately titledThe beginning of the end of the password, Google has announced that it’s “begun rolling out support for passkeys across Google Accounts on all major platforms.”
Passkeys are optional, but those who opt into the new system can use a passkey instead of a password. For Apple users, that means you’ll be able to sign in to any Google services in Safari on your iPhone, iPad, and Mac simply by authenticating with Face ID or Touch ID, as the passkey will be synchronized to all of your devices using iCloud Keychain.
If you’re using Chrome or another browser or signing in on someone else’s Mac or iPad that’s not using your iCloud account, you’ll be shown a QR code instead. In this case, just open the Camera app on your iPhone, point it at the screen, and tap Sign in with Passkey and you should be good to go.
While iCloud Keychain is one of the easiest solutions for iPhone, iPad, and Mac users to handle passkeys, it won’t be the only option. Popular password manager 1Password, which is also a member of the FIDO Alliance, has announced that you’ll soon be able to store your passkeys there, making it a great solution for those who need to access them on Android or Windows.
As with most new Google features, passkeys will be rolling out gradually, so you may not be able to set one up right away. You can check if they’re available to you by visiting http://g.co/passkeys.
Google Workspace users, including those with school accounts, will need to wait for their administrators to enable the feature; that capability isn’t available yet, but Google says it’s coming “soon.”