Google has unveiled a huge update that signals ‘the beginning of the end’ for using passwords to access Gmail accounts.
The web giant has started to roll out its new passkey technology, which will allow billions of users to sign in to websites and apps the way they unlock a device — with a fingerprint, face scan or a device PIN that can verify their identity.
It is expected that the new type of online sign-in will eventually replace passwords, although it will be a while before this happens because the technology is still in its infancy.
Experts say it will allow people to access and use their new password-less sign-in credentials – or passkey – across different devices.
This will prevent them from having to sign in to every account again on each device, reducing the risk of using easily-guessable passwords and therefore creating a more secure system.
Update: Google has started to roll out its new passkey technology, which will allow billions of users to sign in to websites and apps the way they unlock a device — with a fingerprint, face scan or a device PIN that can verify their identity
Revolutionary: It is expected the new type of online sign-in will eventually replace passwords, although it will be a while before this happens because the technology is still in its infancy
The technology has also been rolled out in Apple’s iOS16 and the latest MacOS release, while Microsoft has been running it through the Authenticator app.
WHAT ARE PASSKEYS AND HOW DO I SET THEM UP?
Passkeys are a new way to sign in to apps and websites.
Tech giants say they are both easier to use and more secure than passwords, so users no longer need to rely on the names of pets, birthdays or the infamous ‘password123’.
Instead, passkeys let people sign in to apps and sites the same way they unlock their devices: with a fingerprint, a face scan or a screen lock PIN.
To create one for your Google account, follow these steps below:
1. Go to g.co/passkeys
2. Enter your password to access your account
3. Click ‘Create a passkey’
4. Select ‘Continue’ to set one up for the device you are using, or ‘Use another device’ for a different one
5. Place your fingerprint on your device as you normally would to unlock it and the passkey will be created
Ebay, PayPal and Docusign are already using the passkey, too, along with a number of other businesses.
It was created by industry body the FIDO (Fast Identity Online) Alliance and World Wide Web Consortium, with Google, Apple and Microsoft the primary drivers.
The tech giants said the new system also allows people to use a fingerprint or facial scan authentication on their smartphone as a way of signing in on another device nearby, regardless of which operating system or browser they are running.
This is a feature already in place for Apple devices, where someone wearing an Apple Watch can unlock a phone or MacBook.
This reduces the need for people to remember a wide range of username and password combinations to log in to different services, which has often led to passwords being reused across multiple accounts.
Experts have previously warned that this is one of the biggest security risks in the digital world.
Users can create and store a passkey on any compatible device they use – such as iPhones running iOS16 and Android devices running Android 9.
They will also be able to share it to other devices from the OS using services such as iCloud or password managers like Dashlane and 1Password.
To set one up, visit g.co/passkeys.
Enter your password to access your account, then click ‘Create a passkey’.
You will be asked to select ‘Continue’ to set one up for the device you are using, or ‘Use another device’ for a different one.
Once you’ve done this, you will be asked to place your fingerprint on your device as you normally would to unlock it, at which point the passkey will be created.
If at any point you suspect someone else can access your account, or if you lose the only device that the passkey is stored on, you can revoke passkeys in the Google account settings.
The technology works by storing a cryptographic private key on a user’s device, while there is a corresponding public key uploaded to Google.
Convenience: Experts say it will allow people to access and use their new password-less sign-in credentials – or passkey – across different devices. This will prevent them from having to sign in to every account again on each device (stock image)
When a user signs in, the device uses the private key to generate a signature once it has solved a unique challenge.
This signature is in turn verified using the public key which then allows the user to access their account.
Google never sees the private key or biometrics used, only the signature generated and the public key.
The internet giant says this will prevent people using phishing, SIM-swap and other methods to obtain passwords or bypass existing authentication methods.
However, Google stresses that users should never create passkeys on a shared device because anyone that can access and unlock that device would then be able to access your Gmail account.
‘While passwords will be with us for some time to come, they are often frustrating to remember and put you at risk if they end up in the wrong hands,’ Google said in its announcement.
‘Last year – alongside FIDO Alliance, Apple and Microsoft – we announced we would begin work to support passkeys on our platform as an easier and more secure alternative to passwords.
‘And today, we’ve begun rolling out support for passkeys across Google Accounts on all major platforms.
‘They’ll be an additional option that people can use to sign in, alongside passwords, 2-Step Verification (2SV), etc.’
Despite the rollout, Jake Moore, Global cybersecurity adviser at ESET, said we are still a long way from the end of the password.
But he added that ‘at least Microsoft, Google and Apple are attempting to pave the way to make account access for secure as well as convenient’.
‘It isn’t something that can be achieved overnight but it highlights that more needs to be done when it comes to people’s password security.’
Andrew Shikiar, executive director of FIDO Alliance, said: ‘We’re thrilled with Google’s announcement today as it dramatically moves the needle on passkey adoption due both to Google’s size, and to the breadth of the actual implementation — which essentially enables any Google account holder to use passkeys.
‘I also think that this implementation will serve as a great example for other service providers and stands to be a tipping point for the accelerated adoption of passkeys.’
FIDO: PASSWORDLESS AUTHENTICATION FOR WEBSITES
Based on free and open standards from the FIDO Alliance, FIDO Authentication enables password-only logins to be replaced with secure and fast login experiences across websites and apps
The FIDO protocols use standard public key cryptography techniques to provide stronger authentication.
During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service.
Authentication is done by the client device proving possession of the private key to the service by signing a challenge.
The client’s private keys can be used only after they are unlocked locally on the device by the user.
The local unlock is accomplished by a user–friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button.
The FIDO protocols are designed from the ground up to protect user privacy.
The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user’s device.