#CyberMonth: Google Makes Passkeys Default Sign-In Option

Written by

Google has announced it is making passkeys the default sign-in option for all users as part of efforts to shift towards passwordless authentication.

The move, announced during the annual Cyber Security Awareness Month (CSAM) campaign, comes five months after Google first rolled out support for passkeys.

Following “really positive feedback” from users, the tech giant is now offering passkeys as the default option across personal Google Accounts.

This means the next time users sign into their accounts, they will receive prompts to create and use passkeys. Additionally, users will see a ‘Skip password when possible’ option toggled on in their Google Account settings.

Google’s announcement comes amid initiatives by big tech companies to reduce reliance on passwords. In May 2022, Apple, Microsoft and Google announced plans to support the FIDO Alliance and World Wide Web Consortium (W3C) standard, enabling users to automatically access their FIDO sign-in credentials or passkey on their devices, including new ones, without needing to re-enroll each account.

Other big firms, including Ebay and Uber, have also recently enabled passkeys for user accounts.

“We’ll continue encouraging the industry to make the pivot to passkeys - making passwords a rarity, and eventually obsolete,” stated Google.

Are Passkeys More Secure than Passwords?

Passkeys enable users sign into apps and websites with a biometric sensor, such as fingerprint or facial recognition, PIN or pattern. A passkey is tied to a user account and a website or application, enabling authentication to take place without a username or password, or any additional authentication factor.

Google argues this approach is far more secure and offers a better user experience than using a combination of a password and MFA option. This is because:

  • Passkeys are phishing resistant as they work only on their registered websites and apps. Therefore, a user cannot be tricked into authenticating on a deceptive site because the browser or OS handles verification.
  • They mean developers only need to save a public key to the server instead of a password, meaning there's far less value for a bad actor to hack into servers.
  • Passkeys remove the need for MFA, which cyber-criminals are becoming increasingly adept at bypassing.
  • Users do not need to remember their username and password, speeding up the process of signing in.
  • Once a passkey is created and registered, the user can seamlessly switch to a new device and immediately use it without needing to re-enroll. This differs from traditional biometric authentication, which requires setup on each device.

What’s hot on Infosecurity Magazine?