Passwords No Longer Required For Google Accounts
Google has finally done away with the need for passwords or two-step verification for all personal and professional Google Accounts.
The company has launched ‘passkeys’, which allow users to sign in by unlocking their computer or mobile device with their fingerprint, face recognition or a local PIN.
The passkey itself is only stored on a user’s device, and uses your “screen lock biometrics” or PIN to confirm its the correct user.
Biometric data is never shared with Google or any other third party, and the screen lock only unlocks the passkey locally.
Google has confirmed these passkeys work on every major platform or browser, although it notes “passkeys are still new and it will take some time before they work everywhere.”
This is a significant security step for Google, and seemingly a lot safer than passwords, and less fiddly than two-step verification.
Using passkeys does not mean that you have to use your phone every time you sign in, as Google stresses. If you use multiple devices, you create a passkey for each one, with some platforms syncing to other devices you own, protecting you from being locked out if you lose your phone.
Google’s technical explainer is as follows: “The main ingredient of a passkey is a cryptographic private key – this is what is stored on your devices. When you create one, the corresponding public key is uploaded to Google. When you sign in, we ask your device to sign a unique challenge with the private key. Your device only does so if you approve this, which requires unlocking the device. We then verify the signature with your public key.
“Your device also ensures the signature can only be shared with Google websites and apps, and not with malicious phishing intermediaries. This means you don’t have to be as watchful with where you use passkeys as you would with passwords, SMS verification codes, etc.
“The signature proves to us that the device is yours since it has the private key, that you were there to unlock it, and that you are actually trying to sign in to Google and not some intermediary phishing site. The only data shared with Google for this to work is the public key and the signature. Neither contains any information about your biometrics.”
As the company notes, there will be some teething problems, and we are likely to read a slew of criticism over the coming days, pointing out potential pitfalls — the scanning of a user’s face and fingerprints, for example; whether you can trust Google, for another — but, it’s a step past the password, which is a good step to take.