Connect with us

Tech

Over 400 million Google accounts have used passkeys, but our passwordless future remains elusive

Published

2 weeks ago

on

Google is kicking off World Password Day by updating us on its efforts to replace the often hacked, guessed, and stolen form of authentication with passkeys. Their passwordless approach relies on device-based authentication instead, making logging in faster and more secure.

In a blog post on Thursday, the company announced that over 400 million Google accounts (of the at least 1.5 billion reported since 2018) have used passkeys since rolling them out, logging over a billion authentications between them. The majority of users find them easier to use than passwords, according to Google, adding that “since launching, passkeys have proven to be faster than passwords, since they only require users to simply unlock their device using a fingerprint, face scan or pin to log in.”

Google’s passkey milestones suggest that plenty of people are adopting the sign-on tech, but not everyone is convinced by how the rollout is going. Despite support for passkeys from Microsoft, Apple, Google, and third-party login managers like 1Password and Dashlane, plenty of people have posted about their resistance online, ranging from confusion over the need for passkeys to complaints about various bugs or issues users have encountered with them.

What are passkeys?

Passkeys can replace traditional passwords with your device’s own authentication methods. That way, you can sign in to Gmail, PayPal, or iCloud just by activating Face ID on your iPhone, your Android phone’s fingerprint sensor, or with Windows Hello on a PC. 

Built on WebAuthn (or Web Authentication) tech, two different keys are generated when you create a passkey: one stored by the website or service where your account is and a private key stored on the device you use to verify your identity.

Of course, if passkeys are stored on your device, what happens if it gets broken or lost? Since passkeys work across multiple devices, you may have a backup available. Many services that support passkeys will also reauthenticate to your phone number or email address or to a hardware security key, if you have one.

Apple’s and Google’s password vaults already support passkeys, and so do password managers like 1Password and Dashlane. 1Password has also created an online directory listing services that allow users to sign in using a passkey.

“Disappointment in the technology appears to be the norm rather than the exception,” William Brown, who runs the blog Firstyear, said in a post documenting several of these passkey issues. “The helplessness of users on these threads is obvious – and these are technical early adopters. The users we need to be advocates for changing from passwords to passkeys. If these users can’t make it work how will people from other disciplines fare?”

“Passwords have had a good run, we’ve had them for the last 70 years already. We’ve been able to work out most of the kinks with passwords, but they still suck, right?” Christiaan Brand, product manager for identity and security at Google, told The Verge. “The transition path is not always easy, and you will have a whole bunch of very vocal users who used to do things in a very specific way now all telling you that the new thing you’re doing is wrong.”

All of this suggests that the dream of creating a passwordless future will need to coexist alongside more recognized sign-in methods for the foreseeable future. “I think as an industry we need to learn a little bit. We’re trying to work through this and sometimes we make mistakes too,” said Brand. “So we’re making some slight tweaks to certain things we’ve done, but ideally, we need to go out there and show these early adopter services a pathway for doing a conversion that would make sense.”

Brand says that over time, adding friction to the process of using potentially insecure passwords could promote passkeys as the preferred login. “If you use your password to get into your Google account, that also means you couldn’t use your passkey, so either it’s a legitimate user that lost their device, or it’s a bad guy.” Brand gave an example in which users who sign in using a password instead of their passkey may be asked to wait 24 hours to gain access while Google conducts security checks to ensure the account hasn’t been compromised.

In efforts to bolster its security offerings during the upcoming US election, Google also announced that passkeys will soon be supported by its Advanced Protection Program (APP), which provides increased protections to high-profile Google account users like journalists, activists, politicians, and business leaders. APP users will have the option to use passkeys alone or alongside a password or hardware security key.

Cross-Account Protection, which shares security notifications about suspicious activity on a user’s Google account with connected non-Google apps they use, is also being expanded with “additional collaborations.” Google says this will help to better protect billions of users “no matter the platform they’re on” by preventing cybercriminals from gaining access to entry points that could expose users’ other accounts.

Related Topics:
Continue Reading