Boost your security by creating a passkey to sign in and make changes to your Google account instead of using the password and one-time security codes.
- Google has enabled support for the passkeys feature for Google accounts.
- The announcement came ahead of tomorrow’s World Password Day.
- Apple’s platforms have supported passkeys since iOS 16.
Passkeys for Google accounts have arrived
Google previously enabled support for passkeys in its Chrome and Android software. And now, passkeys are coming to Google accounts as an optional password alternative. According to Google’s Keyword blog, this is yet another option for people to sign in, alongside passwords, 2-step verification, etc.
You must manually turn on this option for your Google account on a per-device basis. With passkeys enabled, you can securely sign in to your Google account using Touch ID, Face ID, screen lock or a hardware security key that supports the FIDO2 protocol. This feature requires at least Safari 16, Edge 109 or Chrome 109.
Passkeys are a new way to sign in to apps and websites. They’re both easier to use and more secure than passwords, so users no longer need to rely on the names of pets, birthdays or the infamous “password123.”
Instead, passkeys let users sign in to apps and sites the same way they unlock their devices: with a fingerprint, a face scan or a screen lock PIN. And, unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one-time codes.
Starting today, you’ll see an option to use passkeys when logging in to your Google account. This may take a few days or weeks to roll out to all users.
How to enable passkey login for my Google account?
You can turn on this option by visiting a special page on the Google website in your browser, clicking the option to create a passkey and following the instructions.
- Sign in to your Google account at accounts.google.com.
- Click Security in the lefthand column.
- Now click Passkeys under How you sign in to Google in the righthand column.
- Click the Create a passkey button, then choose Continue.
- Responds positively when asked whether to save a passkey.
“If your account has 2-Step Verification or is enrolled in the Advanced Protection Program, you will bypass your second authentication step by signing in with a passkey since this verifies that you have possession of your device,” according to a support document on the Google Account Help.
What are passkeys? How do they work?
Passkeys is a new authentication standard set by the FIDO Alliance to kill the password. In 2022, Apple debuted passkeys support as a major step toward a “passwordless future” across iOS 16, iPadOS 16 and macOS Ventura.
Following the passkeys adoption by Apple, both Google and Microsoft have pledged to support passkeys in their products, and they’re now fulfilling their promises.
On Apple’s devices, passkeys use the Web Authentication API through iCloud Keychain. With passkeys, you sign in to a compatible website or app without typing a password. Instead, you use biometric security features like Face ID or Touch ID.
Your passkeys sync across devices via iCloud. You can even use a passkey on your iPhone or iPad to sign in to another device. Security is guaranteed because passkeys use asymmetric encryption.
“During account registration, the operating system creates a unique cryptographic key pair to associate with an account for the app or website,” clarifies a support document on the Apple website. “These keys are generated by the device, securely and uniquely, for every account.”
Security and privacy considerations
Passkeys are more convenient than passwords, but remember that anyone who can unlock your device can sign back into your Google account with the passkey.
As we saw with the infamous case of shoulder surfing, where iPhone thieves are locking people out of their accounts and draining their bank accounts, this threat shouldn’t be taken lightly at all—create a complex alphanumeric passcode on your device to make it hard for others to unlock your lost, stolen or unattended device.
As mentioned, passkeys must be created separately on each device you own. To reduce the chance of a breach, you’re advised to avoid creating passkeys on your other devices. For example, you could use passkeys created on your iPhone to sign in to apps and websites on your Mac or another device.
In Google’s case, that means the following:
When you sign in on a computer with a passkey for the first time, a QR code appears on the computer. To sign in, scan the QR code with your phone’s camera. The next time you sign in with this computer and phone combination, you won’t need to scan a QR code.
Remember that passkeys won’t work unless your device’s screen lock is turned on (if you use Face ID or Touch ID, it’s already on). Also, the Skip password when possible option must be toggled on in the Security section of your Google account.