Google says passkeys are now used by over 400 million accounts, and over a billion sign-ins

A

Alfonso Maruccia

Posts: 1,734   +512
Staff
Forward-looking: Big tech companies are proposing the use of passkeys as a more secure and easy-to-use alternative to traditional passwords. Microsoft has hailed passkeys as the future of authentication, stating that they eliminate the need for the "complex" password creation process and the hassle of remembering (or storing) them.

Google introduced support for passkeys in 2022 during World Password Day. Now, the company is revealing how far the authentication technology has come and where it is heading. According to the search giant, passkeys have been used as an authentication measure over 1 billion times, across 400 million-plus Google accounts.

Google highlights how passkeys are resistant to phishing, as they rely on fingerprints, face scans, or PINs for user authentication. They are 50 percent faster than passwords, and they are now the most used authentication method on Google accounts when compared with "legacy" technologies such as SMS-based one-time passwords (OTP) or app-based OTPs.

Google will soon start supporting passkeys in the company's strongest security offering, the Advanced Protection Program. APP has been designed to protect high-risk users such as campaign workers and candidates, journalists, human rights workers, activists, and more. The authentication method usually requires a hardware security key as a second factor, but it will soon support passkeys as well.

APP support for passkeys will be critical during this year's elections, Google added.

Another significant improvement for passkey adoption is the ability of third-party password vendors to use Google's passkey management APIs on Android and other operating systems. Popular password managers such as Dashlane and 1Password can now provide passkey support, an important update that gives users more control along with the ability to store passkeys on security keys.

The technology industry is showing significant support for passkey-based authentication, and the list of Google's partners keeps growing. In just 12 months, early adopters of the technology (eBay, Uber, PayPal, WhatsApp) were joined by Amazon, 1Password, Dashlane, DocuSign, Kayak, Mercari, Shopify, and Yahoo! Japan.

In explaining how the technology works, Google stated that passkeys will replace passwords and essentially solve the many issues brought to the industry by a password's inherent vulnerability. Even more sophisticated security measures such as multi-factor authentication, SMS messages, and authentication mobile apps will be replaced by passkeys, Google predicts.

Permalink to story:

Google says passkeys are now used by over 400 million accounts, and over a billion sign-ins

 
Can existing U2F or FIDO keys be used as passkeys?

I don't like the idea of my fragile. theft-prone, tied-to-a phone-number, cell phone being the proof of my identity.
 
  • Like
Reactions: Beerfloat
Godel said:
Can existing U2F or FIDO keys be used as passkeys?

I don't like the idea of my fragile. theft-prone, tied-to-a phone-number, cell phone being the proof of my identity.
Click to expand...
Short answers: yes, depending on authentication device; it doesn't need to be tied to your phone.

The marketing around passkeys has kind of sucked, tbh. They're just 'standard' public key encryption, but largely invisible to the user and where the service you're logging into has the public key and your authenticator has the private key. Your authenticator can be Google's authentication app, some other authentication app, or a lot of the popular existing password vaults that have added support for passkeys. If you put it on something like an app, where the public key never leaves your hardware, then, yeah, if you lose your device and don't have another way to log into your account, that is it. There are probably ways to generate multiple passkeys for each account - one for each of your devices, for example - but that will depend on the service. IMO, this is why I use a password vault, so that it is not tied to just one device and so it can be used on desktop and mobile without trying to involve QR codes and bluetooth connections.

As for U2F and FIDO: if the authenticator supports it, then you can still use that. So, you login chain would look like:

1. log into authenticator
2. provide hardware key authentication to complete log-in
3. go to service you're trying to log into
4. authenticator gets public key challenge and authenticates it against the private key
5. you're logged on

So, it eliminates passwords on the online services, and even if they were to intercept your public key, they could really only spoof the login and maybe trick you into revealing information during a session - it wouldn't get them the data in the account itself, nor control of the account itself.
 
  • Like
Reactions: Godel
You must log in or register to reply here.

Similar threads

S
Passkeys reach 15 billion accounts but fall short of expectations so far
Replies
3
Views
217
mbrowne5061
M
A
New Microsoft login screens emphasize passkeys and "passwordless" authentication
Replies
4
Views
97
Karlos95
Karlos95
Shawn Knight
After studying 19 billion passwords, one big problem: Over 90% are terrible
2
Replies
27
Views
294
ZedRM
ZedRM

Latest posts

Back