Starting today, Google users can switch to passkeys and ditch their passwords and two-step verification codes entirely when signing in.
Passkeys are a safer, more convenient alternative to passwords being pushed by Google, Apple, Microsoft, and other tech companies aligned with the FIDO Alliance. They can replace traditional passwords and other sign-in systems like 2FA or SMS verification with a local PIN or a device’s own biometric authentication — such as a fingerprint or Face ID. This biometric data isn’t shared with Google (or any other third party), and passkeys only exist on your devices, which provides greater security and protection since there’s no password that could be stolen in a phishing attack.
I’m still holding off on this until my own password manager has a working solution (Bitwarden announced today their solution is being worked on). But for me numerous questions still remain, despite this undoubtedly being a more secure solution:
- What happens if your passkeys are on your primary device, and you lose that? Hopefully everyone has their passkeys backed up and are able to retrieve and actually use them.
- How do you log into the service to disable lost passkeys, if the passkey is your access to the service?
- Users get locked into a specific passkey service and then want to leave for another one, e.g. an iPhone user decides to move to Android.
- If passwords are the weakness, they should be completely removed from a service, otherwise they remain just as risky as if you were using them still. Passkeys will only be as secure as any fallback method, e.g. if a provider uses SMS for backup, then you are running the same risks having SMS as if you were using SMS 2FA.
- Security has always been a trade-off against convenience, so a lot of basic user education is going to be needed otherwise we run the risks of either having risky fallbacks, or many users will be locked out of their accounts. An account is either secure, or it is not. ‘Marketing messages’ don’t create the security.