Google Might Have Just Killed Passwords on World Password Day

Google has taken us one step closer to a passwordless future, announcing that it will allow account holders to ditch their passwords and multi-verification (MFA) codes when signing in.

Starting Thursday, 4th May – ironically World Password Day – the tech giant said users can access Google services using passkeys – cryptographic keys that require authenticated devices to log in. 

“We’ve taken a giant step forward on the journey towards a passwordless future,” Google said in a blog post shared on its website. 

“We’ve begun rolling out support for passkeys across Google Accounts on all major platforms. This means users can now take advantage of passkeys across Google Services for a passwordless sign-in experience.”

Passkeys are a safer and more convenient alternative to passwords that replace traditional sign-in systems like passphrases and MFA using a local PIN or a device’s own biometric authentication, such as fingerprints or Face IDs. 

Since this biometric data isn’t shared with Google or any other third parties and passkeys only exist on the users' devices, they provide greater security and protection for users as it removes the possibility of passwords being compromised during a phishing attack. 

The technology is being pushed by the likes of Google, Apple, and Microsoft as well as a number of other tech companies, who have joined forces with the FIDO alliance to make passwordless logins a reality across devices, operating systems and browsers. 

“We’re thrilled with Google’s announcement today as it dramatically moves the needle on passkey adoption due both to Google’s size and to the breadth of the actual implementation — which essentially enables any Google account holder to use passkeys,”  Andrew Shikiar, executive director of FIDO Alliance, said in a statement.

“This implementation will serve as a great example for other service providers and stands to be a tipping point for the accelerated adoption of passkeys.”

A long road ahead

When Google account holders add a passkey to their account, the platform will start prompting for it when they sign in or when it detects suspicious activity that requires additional verification. 

Users can activate passkeys by logging into their Google account. For now, entirely optional,  passwords and other existing multifactor authentication tools are still available. 

We've started rolling out support for passkeys that let users sign in to our products with a fingerprint, a face scan or a screen lock PIN. Starting today, this will be available as an option for Google Account users. https://t.co/wBSIqAfiCe

— Sundar Pichai (@sundarpichai) May 3, 2023

Passkey support is not yet widely adopted, so it is likely the tech giant will continue offering alternative verification options to provide users who do not currently have access to a device that supports biometric authentication with enough time to transition to the new technology.

While Google is encouraging users to switch to passkeys, it appears that their ultimate goal is to transition entirely to passkeys. The company has stated in its blog that it will examine other sign-in methods as passkeys gain broader support and familiarity.

The death of the password

While MFA mechanisms and password managers provide reasonable security enhancements compared to traditional username/password workflows, they are still not without their defects. 

A verification code sent via SMS can be easily intercepted in targeting attacks like SIM swamps, for instance, and there’s nothing stopping threat actors from collecting MFA codes along with usernames and passwords from phishing pages. 

Password managers solve some of these issues by memorising and securing passwords, but, as well as being a hassle for some, come with their own set of security risks. 

Users relying on a single password manager are essentially putting all of their eggs in one basket, and if anything there is anything that can be learnt from the security breach at LastPass last summer – this is not a good idea. 

"Passkeys help address all these issues," Google argues in its blog post. Cybersecurity and digital identity experts agree. 

Eduardo Azanza, CEO of the biometrics authentication platform Veridas, told EM360 he believed the switch from passwords to biometric verification was “the only way forward to properly secure users.”

“The use of face verification means that users’ digital identities can be verified in a simple, agile, and secure way. Passwords can be stolen and leaked on the dark web to commit other crimes such as fraud and identity theft.”

To read more about online verification, visit our dedicated Business Continuity Page. 

“However, as biometrics are linked to a user’s physical identity, they’re much harder to steal. As a result, security teams can accurately identify and verify users, as well as quickly detect fraud, phishing and spoofing techniques.

“Users don’t have to remember dozens of passwords, reset them when they are forgotten or go through double authentication steps. Biometrics will verify and authenticate users within seconds, not leaving the user frustrated, unlike when a password is involved.”

Google’s move to implement passkeys may be the beginning of the end for password and MFA account security. As the tech giant states in its blog post: “Maybe by next year’s World Password Day, you won’t even need to use your password, much less remember it!”