Google Accounts Now Support Passkey Sign-Ins

Google is taking another step to kill the password. The company now officially supports Google sign-ins through passkeys, a security system designed to one day replace old-school passwords.

The tech giant is now nudging users to try out passkeys when logging into personal Google accounts, which could help drive adoption and awareness of the security technology.  

“Passkeys let users sign in to apps and sites the same way they unlock their devices: with a fingerprint, a face scan, or a screen lock PIN,” the company said in its announcement. “And, unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one-time codes.”

Indeed, passkeys phase out passwords, which can be stolen via a data breach, malware, or even lucky guesses. Instead, your laptop or smartphone will create a private and unique cryptographic key bound to the device. Your Google account will then issue a digital “challenge” that the passkey can sign and use to unlock access. 

No password data is ever exchanged, denying hackers a chance to steal the login method. When signing in via a passkey, the site will simply ask you to complete a second authentication step, be it a fingerprint scan or screen-lock PIN, to ensure it’s you logging in. 

Passkeys: Pros and Cons

Last year, Google took a major step in supporting security technology by joining Apple and Microsoft in adding support for passkeys on their operating systems and browsers. This opened the door for third-party websites to adopt passkeys. However, Google itself refrained from making passkeys an official sign-in method for user accounts. (Apple, on the other hand, went all in.) 

That changes with today’s rollout, which comes ahead of World Password Day on May 4. Google has added passkeys as a dedicated sign-in method on its own official page. Still, users may have questions about how the technology works in practice. 

In a separate blog post, Google notes: “Using passkeys does not mean that you have to use your phone every time you sign in. If you use multiple devices, e.g. a laptop, a PC, or a tablet, you can create a passkey for each one.” In other cases, such as Google and Apple, the passkey can be backed up into the cloud. 

“For example, if you create a passkey on your iPhone, that passkey will also be available on your other Apple devices if they are signed in to the same iCloud account. This protects you from being locked out of your account in case you lose your devices,” the company added. A user can also revoke a passkey via their iCloud or Google account if the device has been lost or stolen. 

There are some limitations, though. For now, you can still sign into a Google account with a password, so a hacker could break in even with passkeys enabled if they have your password.

"However, creating a passkey today still comes with security benefits as it allows us to pay closer attention to the sign-ins that fall back to passwords," Google says. "Over time, we'll increasingly scrutinize these as passkeys gain broader support and familiarity."

The other problem is that Google only supports passkeys on Chrome, Edge, and Safari. Users on other browsers will have to fall back on other login methods. Passkeys can also be created on devices that run Windows, macOS, Android, iOS, and Google’s Chrome OS. But there’s no support for Linux yet. 

On top of all this, passkey implementations can get messy. Along with Google, Microsoft and Apple also support passkeys. But last week at RSA, Google Product Manager Christiaan Brand pointed out that passkeys you create can’t be shared across each company’s platforms. So you may find yourself creating several passkeys for a single Google account, depending on what browsers and operating systems you use across your devices.

Google has created a dedicated support document with more information on signing in with passkeys. The company adds that security keys should only be created on private devices. If you want to log in to a Google account on a shared or temporary computer, you can enable a one-time sign-in using the passkey stored on your phone. 

“On the new device, you’d just select the option to ‘use a passkey from another device" and follow the prompts,” Google adds. “This does not automatically transfer the passkey to the new device, it only uses your phone's screen lock and proximity to approve a one-time sign-in.”_PCMag