Google has announced that passkeys will now be the default sign-in method for all users, marking the beginning of the end for passwords. The company announced, on Tuesday, that people will no more need a password to securely sign in to accounts.
Passkeys enable users to log in to apps and websites using a biometric sensor (such as facial recognition or fingerprint) or a PIN. In contrast to passwords, they are resilient to online threats such as phishing, rendering them a more secure option than methods like SMS one-time codes.
The search engine giant said that the move is being executed after it received positive feedback from users. Google, which introduced passkeys in May, has stated that they offer a more secure and efficient alternative to traditional passwords, eliminating the need for individuals to memorise multiple passwords.
What do we know about passkeys?
Passkeys are a fast, secure, and passwordless approach to logins that utilises the pin, face, or fingerprint authentication built into our devices. By default, Google account users will receive a prompt to generate a passkey for their account, eliminating the need to manually search through account settings to initiate the setup process.
Although the overarching aim across the company is to eventually establish passkeys as the primary login standard, Google emphasises that passwords will continue to be in use during this transition.
Therefore, users can retain the option to log in to their Google account using conventional passwords, and they have the choice to opt out of using passkeys entirely by disabling the "skip password when possible" setting for their account.
While creating a passkey, two distinct keys are generated: one is retained by the website or service linked to the account, and the other is a private key stored on the device which is used to authenticate the identity.
Passkeys created on Android are backed up and synced with Android devices that are signed in to the same Google Account, in the same way as passwords are backed up to the password manager. Consequently, when users switch to new devices, their passkeys accompany them, ensuring a seamless transition.
Privacy concerns around passkeys
Of late, passkeys are being leveraged by a growing array of apps and companies. Companies such as YouTube, Uber and eBay enable users to opt for passkeys for their sign-ins.
Since a sign in with biometric is required, it might give users an impression that this is sending sensitive information to the server. Additionally, concerns surrounding biometrics are not new. As biometric data is irreplaceable, organisations which collect it in the name of privacy, need to treat these data with increased security and caution. While it's possible to change a compromised password or PIN, the same isn't true for an individual's physiological biometrics.
Furthermore, when biometric data is transformed into digital records and stored, especially in regions or nations with extensive surveillance practices, individuals can run a risk of creating an enduring digital footprint that malicious entities could potentially trace.
Addressing these concerns, Google has stated that "biometric material will never leave the user's personal device". It also added that passkeys on their own don't allow tracking users or devices between sites. "Passkey protocols are carefully designed so that no information shared with sites can be used as a tracking vector. Passkey protocols are carefully designed so that no information shared with sites can be used as a tracking vector," the blog read.
The passkeys will be stored in Google Password Manager, where they will be encrypted end-to-end. The company clarified, "Only the user can access and use them, and even though they're backed up to Google's servers, Google can't use them to impersonate users."