Pierluigi Paganini
May 03, 2023
Google is rolling out the passwordless secure sign-in with Passkeys for Google Accounts on all platforms.
Passwords are essential to protect services and data online, but when obtained by threat actors they can pose a risk to the users.
Despite the IT giant has implemented defenses like 2-Step Verification and Google Password Manager, it recognizes that to really address password issues, it is necessary to adopt passwordless solutions. This means that when a user signs into a website or app on his/her phone, he/she will simply unlock the phone without needing a password for the account anymore.
In 2022, Google announced it would begin work to support passkeys on its platform to replace passwords. The day has come, and Google has begun rolling out support for passkeys across Google Accounts on all major platforms.
“passkeys let users sign in to apps and sites the same way they unlock their devices: with a fingerprint, a face scan or a screen lock PIN. And, unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one-time codes.” reads the announcement published by the company. “Over the past year we’ve shared updates on bringing passkey experiences to both Chrome and Android, which services like Docusign, Kayak, PayPal, Shopify and Yahoo! Japan have already deployed to streamline sign-in for their users. Starting today, this will be available as an option for Google Account users who want to try a passwordless sign-in experience.”
Passkeys are stored only on the users’ devices (PCs, smartphones, tablets), this means that to be used, it is simple enough to unlock the devices using a PIN or a screen lock biometrics (e.g. face recognition, fingerprints).
“When you use a passkey to sign in to your Google Account, it proves to Google that you have access to your device and are able to unlock it. Together, this means that passkeys protect you against phishing and any accidental mishandling that passwords are prone to, such as being reused or exposed in a data breach.” reads a post published by Google. “This is stronger protection than most 2SV (2FA/MFA) methods offer today, which is why we allow you to skip not only the password but also 2SV when you use a passkey.”
Google will maintain the other Google signing-in options, allowing users to log in to their accounts when they don’t have access to their devices.
Passkeys are securely synced to the cloud allowing users to replace the device used to generate them. Apple users that create a passkey on their iPhone, can use it on any other devices signed in to the same iCloud account.
“This protects you from being locked out of your account in case you lose your devices, and makes it easier for you to upgrade from one device to another.” continues the post. “If you want to sign in on a new device for the first time, or temporarily use someone else’s device, you can use a passkey stored on your phone to do so. On the new device, you’d just select the option to “use a passkey from another device” and follow the prompts. This does not automatically transfer the passkey to the new device, it only uses your phone’s screen lock and proximity to approve a one-time sign-in. If the new device supports storing its own passkeys, we will ask separately if you want to create one there.”
Users that want to start using passkeys on their personal Google Account can visit g.co/passkeys.
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
Nominate Pierluigi Paganini and Security Affairs here here:
https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Google)
