Should you protect your Google Account with a passkey instead of a password?
Last week, Google unlocked the ability to create passkeys to protect Google Accounts and to switch to using passkeys instead of passwords for protection. The question that Google customers may have is whether they should take the plunge and start using passkeys instead of the account password, or if they should wait a bit longer before they consider doing so.
This guide explains the benefits and disadvantages of both authentication options so that all Google customers can make an educated decisions
Protecting your Google Account with a password
Passwords are the dominating authentication option today. Users are allowed to select the passwords that they want to use and while there are some limitations usually, such as a minimum length or certain character requirements, users are free when it comes to selecting a password.
This freedom is one of the greatest strengths but also issues when it comes to passwords. Easy to remember passwords are not secure, usually, while hard to remember passwords are secure, but not practicable, unless a password manager is used. There is also password reuse, the reusing of passwords at multiple services, and attacks that try to steal passwords or use brute-force methods to reveal them.
Passwords, or their hashes, are stored by the service, as this is the only way to verify them when they are entered by the user during the login process.
Companies have started to implement two-factor authentication options to improve the security. A second code needs to be provided by the user to gain access to the account. Codes may be created using apps or may be send to users via email or messages.
While two-factor authentication improves the security of accounts, it makes things complicated for the user as it adds another step to the login process.
Protecting your Google Account with Passkeys
Passkeys is a passwordless authentication standard. Passkeys are created automatically on the user's device during setup and some of the information never leaves the device.
Sign-ins to services and apps require confirmation by the user; this is done using the device's PIN or other means, including biometrics. A password is never used, and all forms of verification happen locally.
The entire process of signing-in to accounts is fast and it does not require a second verification step anymore. One of the main benefits of passkeys is that it renders attacks against passwords useless. Phishing, brute forcing or server break-ins can't be used anymore to uncover passwords, as these are not entered nor stored remotely.
There are a few downsides as well. Support may be limited to certain operating system versions, web browsers or applications. Google passkeys, for example, require Windows 10 or higher, macOS Ventura, Chrome OS, iOS 16 or Android 9 on the operating system side. Browser support is limited to Chrome 109 or newer, Microsoft Edge 109 or newer, and Safari 16 or newer officially.
Other browsers may work also, including Firefox, but these are not supported officially.
The second issue is that passkeys are device specific. While syncing is possible in theory, most services and apps do not support this yet. Google account passkeys are device-specific, which means that you need to create them on any device that you use to totally switch from using passwords to passkeys.
The Google account password is not removed, however.
Passwords or Passkeys?
Some Google users may not be able to use passkeys at all or only on some devices, because of the requirements.
Protecting the Google account with a passkey improves security in several ways, and it is the upcoming standard that many online services will switch to.
Most Google users benefit from switching to passkeys. Some may want to wait until syncing becomes available, especially if they use lots of devices.
A Google password may still (need to) be used, for instance on devices that don't support passkeys or on public machines.
Most Google customers may need to juggle between using password and passkeys for a while because of that.
Secure passwords along with two-factor authentication, a good password manager, and the use of common sense protect the Google account sufficiently. Passkeys are an upcoming standard which promises to do even better, but it is in its early stages at this point.
There is no definitive answer at this point. Google customers who use a single device are in the best position to switch to using passkeys. Those with multiple devices, browsers and maybe even accounts less so.
Most password managers do not support passkeys yet, but many will introduce support in the coming months and years. NordPass, Dashlane, Bitwarden, 1Password and even LastPass have added support for passwordless authentication or are about to. Support may vary, as some services added support for the password management service itself, while others plans to add options to store password data of other accounts using the password manager.
Now You: have you switched to using passkeys already?
Thanks, Martin, for the overview. Unfortunately – and I experience the exact same thing on other platforms – this story only talks about the immediate security benefits. I’d really appreciate some information about the risk to be locked out of accounts: is there any? If so, are there mitigations? etc etc.
Any chance your readers could get an update on that aspect, too?
Why does everyone keep perpetuating these lies?
Easy to remember or hard to remember, this has nothing to do with password strength.
The more characters in a password the stronger it is, it is simple math. The more 1’s and 0’s, the more possible permutations.
Beyond the obvious, don’t use your birthday, dogs name, or other info that you posted 47k times on social media. Just make a nonsensical phrase that is as long as you can make it.
Or use a password safe that has no internet connection and use randomized strings of no less then 32 characters.
“Why does everyone keep perpetuating these lies?”
are you serious?