Google is taking a big step toward making passkeys the default login option for its users. Starting today, users logging in to personal Google accounts will be prompted to create and use passkeys instead of passwords when possible. (Passwords will still be used in some contexts where they are not yet supported.)
Built on the WebAuthn standard, passkeys seek to replace passwords by leaning on your local device’s authentication method, like biometrics or a PIN. We’ve published a couple of articles explaining passkeys in detail and answering common questions about them, but the very short explanation is that your operating system creates a unique, local pair of keys to match your account for a website, service, or application. One key is on the server, but the other (the one you need to sign in) is local.
Here’s how Google describes them:
Passkeys are a new way to sign in to apps and websites. They’re both easier to use and more secure than passwords, so users no longer need to rely on the names of pets, birthdays or the infamous “password123.” Instead, passkeys let users sign in to apps and sites the same way they unlock their devices: with a fingerprint, a face scan or a screen lock PIN. And, unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one-time codes.
Passkeys can be more secure than passwords in part because they ensure that you have a separate key for each account, protecting you from big password leaks, but they’re also easier to use because you don’t have to remember a password. Many of us have been using password managers like 1Password for a while, and passkeys will feel to some like a natural progression from that.
Google has been experimenting with passkeys across numerous products, including Chrome, over the past year. It went wide with passkey support for personal Google accounts in May, but users had to opt in to it by visiting a specific webpage that wasn’t widely publicized. With this new change, all users with personal Google accounts will be prompted to try passkeys out. Users who want to forgo passkeys can uncheck the “skip password when possible” option in their accounts.