Published on May 6th, 2024
On Thursday, Google revealed that passkeys have become the authentication method for over 400 million Google accounts, utilized for verifying users more than 1 billion times in the last two years.
According to Heather Adkins, Google’s vice president of security engineering, passkeys are lauded for their ease of use and resilience against phishing attempts.
They rely solely on fingerprint scans, face recognition, or a PIN, making them 50% faster than traditional passwords.
Google Passkeys: Embraced By 400 Million Users And Counting!
Google highlights that passkeys now surpass traditional forms of two-factor authentication, like SMS one-time passwords (OTPs) and app-based OTPs, in terms of usage on Google Accounts.
Read More: Google Forms Guide- All That You Need To Know
Moreover, Google announced an expansion of Cross-Account Protection, which warns users about suspicious activities related to third-party apps connected to their Google Account, to cover more apps and services.
As part of its Advanced Protection Program (APP), Google plans to offer support for passkeys to high-risk users, including campaign workers, journalists, and activists, in addition to hardware security keys.
Previously, APP mandated the use of hardware security keys as a second factor, but it will now allow enrollment with any passkey alongside hardware security keys or solely using them for authentication.
Google introduced passkeys to Chrome in December 2022 and has since implemented the passwordless authentication solution across all Google Accounts by default.
Numerous prominent companies such as 1Password, Amazon, Apple, and others have also embraced passkeys.
This news coincides with Microsoft’s announcement of its intention to support passkeys for consumer accounts on Windows, Google, and Apple platforms, leveraging biometrics or device PINs.
Passkeys function by generating a unique cryptographic key pair, comprising a private key stored on the device and a public key shared with the relevant app or website.
According to Microsoft’s Vasu Jakkal, this uniqueness ensures that passkeys only function with the intended website or app, mitigating the risk of falling for malicious look-alike websites.
Additionally, passkeys can be managed by third-party password management solutions, offering users greater control over their storage beyond Google Password Manager, iCloud Keychain, and Windows.
Google product managers Sriram Karra and Christiaan Brand explain that passkeys can serve as both first and second factors, allowing users to bypass entering passwords by using the PIN associated with their security key, thereby enhancing security.
Nevertheless, some express concerns that companies may utilize passkeys to lock users into their platforms, with William Brown, a software engineer, highlighting potential limitations in extracting or exporting credentials.