Google rolls out passkeys for account users, takes 'major step' towards the end of passwords
Screengrabs of Google passkey as shown in the blog post. (Images: Google)
SINGAPORE: Tired of trying to remember dozens of passwords and having to reset them? Google on Wednesday (May 3) rolled out passkeys to all account users.
Passkeys let users sign in to apps and websites the same way they unlock their devices: With a fingerprint, face scan or screen lock PIN.
Calling it a "major step towards a passwordless future", Google said in a blog post that passkeys are the "easiest and most secure way" to sign in to apps and websites.
Support for passkeys will be rolled out across Google Accounts on all major platforms, it added. These passkeys will be an additional option that people can use to sign in, alongside passwords and two-step verification.
"For some time we and others in the industry have been working on a simpler and safer alternative to passwords. While passwords will be with us for some time to come, they are often frustrating to remember and put you at risk if they end up in the wrong hands," said Google.
Passkeys are more secure than passwords and are resistant to online attacks such as phishing, added the blog post.
Services like Docusign, Kayak, PayPal, Shopify, and Yahoo! Japan have already integrated passkeys to simplify the sign-in process for their users.
Google Account users can try passkeys out at g.co/passkeys.
For Google Workspace accounts, administrators will soon have the option to enable passkeys for their end-users during sign-in.
SECURITY ISSUES
Professor Zhou Jianying, co-centre director for iTrust at the Singapore University of Technology and Design (SUTD), said using passkeys will reduce users’ burden to remember various passwords for different accounts while making authentication secure.
"However, this is based on the assumption that passkeys are securely stored. If your device can be easily hacked, then your passkey will be compromised," he added.
Associate Professor Chang Ee-Chien, from the National University of Singapore's School of Computing, said that because a passkey is stored on the user's mobile device, it will be very difficult for attackers to steal it remotely.
"To steal the passkey, an attacker needs to have physical access to the mobile phone, and (be) able to unlock it. This is much more difficult than (stealing) a password," he added.
For non-critical applications, Prof Zhou said that passwords are sufficient for authentication and access control, and security can be enhanced with two-factor authentication.
Passwords or passkeys only provide a first line of defence. Critical applications require a second line of defence, he added.
“We cannot solely rely on a single security solution to address all security problems," he said.
