Google hammered another nail in the coffin for passwords Tuesday when it announced it’s making passkeys the default login method for its personal accounts.
That means when users sign in to their personal accounts, they’ll see a prompt to create and use a passkey — typically a face scan, fingerprint, or PIN — as well as the “Skip password when possible” option turned on in their account settings.
While passkeys represent a significant advancement in biometric authentication methods, Google will allow users to opt out of using them by turning off the skip password setting.
According to a company blog written by Google Senior Product Manager Sriram Karra and Group Product Manager Christiaan Brand, passkeys are 40% faster to use than passwords and rely on a kind of cryptography that makes them more secure.
Google also found, the pair wrote, that one of the most immediate benefits of passkeys is that they spare people the headache of remembering all those numbers and special characters in passwords. Passkeys are also phishing resistant, they added.
“Google’s announcement today on officially making passkeys the default login is another milestone on the journey toward a truly passwordless future,” declared Steve Won, chief product officer at 1Password, a password manager software maker in Toronto.
“Billions of users can now live without passwords with arguably their most important login, removing the most common vector for security breaches — stolen credentials,” he told TechNewsWorld.
Moving Passkey Adoption Needle
Google’s decision will move the needle on the adoption of passkeys, asserted Tony Goulding, a cybersecurity evangelist at Delinea, a provider of privileged access management solutions, in Redwood City, Calif.
“In my view,” he told TechNewsWorld, “Google’s decision represents the most promising initiative yet — albeit, building on the foundation laid by FIDO2, which has been around for some time — to finally achieve the dream of a ‘passwordless’ future.”
“Given how many people use Google services, this will definitely move the needle for publicly accessible applications,” added Ron Arden, CTO and COO of Fasoo, a provider of enterprise data protection solutions in Bethesda, Md.
“Most large enterprises use MFA [multi-factor authentication] already, but need to move beyond MFA tied to passwords,” he told TechNewsWorld. “This may drive the market faster, making companies move faster.”
Both enterprises and consumers are adopting passwordless solutions across various sectors, noted Ricardo Amper, founder and CEO of Incode Technologies, an international identity verification and biometric authentication company. “Google’s policy change underscores the growing demand for seamless and highly secure authentication methods,” he told TechNewsWorld.
“This transition from traditional passwords empowers individuals to take greater control of their data,” he added, “especially in response to the ever-evolving landscape of cyber threats.”
Running Out of Passwords
Eduardo Azanza, CEO of Veridas, a global biometric identification and authentication solution provider based in Madrid, pointed out that traditional password systems have been shown to fail time and time again, as huge volumes of credentials are stolen every day.
“As the digital threat landscape evolves, cybersecurity and online practices must evolve with it,” he told TechNewsWorld. “Therefore, the move by Google to set passkeys as the default sign-in credential is a strong message that we are moving toward a passwordless future.”
Aside from being more convenient to use and more secure, passkeys have another benefit. “Passkeys solve one of the untold issues of today’s user — we’ve finally run out of passwords,” observed Ben Chappell, CEO of Apona Security, an application security company in Roseville, Calif.
“I’ve personally run through hundreds of passwords in my professional life,” he told TechNewsWorld. “Like most users, it’s to the point where I struggle to create a new password, much less remember it.”
“The move by Google is far overdue and will greatly increase adoption of passkeys over passwords,” he added.
The move will likely have a ripple effect throughout the tech industry, predicted Roger Grimes, a defense evangelist at KnowBe4, a security awareness training provider in Clearwater, Fla.
“Anytime Google updates a default,” he told TechNewsWorld, “not only does that significantly increase usage of the item on the Google platforms, but forces the other major players, like Microsoft, to respond.”
Challenges to Passkey Tech Adoption
Despite the benefits passkeys offer to consumers and businesses, adoption of the technology has been slow. “Out of more than a billion websites that exist, only around 55 currently support passkeys,” said Darren Guccione, CEO of Keeper Security, a password management and online storage firm in Chicago.
“This limited support can be attributed to several factors, including underlying platform support, website changes, and the fact that it’s not a default setting, so the user must take action to configure or set it up,” he told TechNewsWorld.
“Consistent support from major platforms and browsers is key in promoting widespread adoption of the technology,” he maintained.
“As the big players, such as Amazon, Google, Apple, and Microsoft, move to adopt passkeys and make it mandatory, others will naturally get on board,” added Timothy Morris, chief security advisor at Tanium, a maker of an endpoint management and security platform, in Kirkland, Wash.
“Major breaches involving social engineering will also serve to accelerate adoption,” he told TechNewsWorld, “because passkeys are simply more secure and can mitigate the risk of stolen credential attacks.”
Conditions Ripe for Passkey Implementation
Indeed, conditions appear to be ripe for adoption acceleration.
“The infrastructure for users is largely in place now that Apple, Google, and Microsoft have launched operating systems that accommodate passkeys,” said James E. Lee, chief operating officer for the Identity Theft Resource Center, a nonprofit organization devoted to minimizing risk and mitigating the impact of identity compromise and crime, in San Diego.
“Now, website owners will need to adapt their infrastructures to receive passkeys for adoption to accelerate for internal and external use,” he told TechNewsWorld.
Won asserted that ongoing education and adoption by leading players like Google will continue to validate the urgency to adopt passkeys because users will demand the convenience.
“The next six months will be an important window for adoption,” he predicted. “We need to continue focusing on creating cross-platform ubiquity for apps and services so developers can easily implement passkey authentication.”
Guccione reasoned that passkey adoption would be similar to credit card adoption. “Today,” he said, “just as cash coexists with credit cards and contactless payments, passkeys can coexist with traditional passwords.”
“As awareness grows and technology advances,” he continued, “we may see a gradual increase in adoption, but it won’t be quick, and it’ll take time before it’s ubiquitous. Credit cards are now widespread, yet cash still exists. We can expect the same for passkeys for the foreseeable future.”