Skip to main content

Google is killing your passwords, and security experts are (mostly) happy

Promotional image for Tech For Change. Person standing on solar panel looking at sunset.
This story is part of Tech for Change: an ongoing series in which we shine a spotlight on positive uses of technology, and showcase how they're helping to make the world a better place.

Google account prompt explaining passkeys.
Digital Trends

Google is inching closer to making passwords obsolete. The solution is called “Passkeys,” a unique form of password that is stored locally on your phone or PC, just the way a physical security key works. The passkeys are protected behind a layer of authentication, which can be your fingerprint or face scan — or just an on-screen pattern or PIN.

Recommended Videos

Passkeys are faster, linked across platforms, and save you the hassle of remembering passwords for websites or services that you have subscribed to. There is a smaller scope for human error, and the risks of 2-factor authentication code interception are also reduced.

Developed in collaboration with Microsoft and Apple, Google is now taking the next steps to take passkeys mainstream by making them the default log-in option. You won’t be forced to ditch your usual log-in methods, but if you haven’t already enabled passkeys, you will be nudged the next time your Google account is used for a sign-in request.

Why passkeys are better than passwords

Prompt for creating a passkey for a Google account.
Digital Trends

Passkeys employ what you would call a digital handshake, which involves creating a pair of passwords using cryptographic methods. One is stored with the app or web service, while the other one remains with the user, protected by an on-device password or biometric authentication. There is no two-factor code involved, and all you need to do is tap on a prompt on your device to allow the identity verification.

Trevor Hilligoss, who has previously worked as a security expert with the FBI and currently handles security research at SpyCloud, tells Digital Trends that passkeys are “strong by nature, and it’s why many security teams prefer this mode of defense.” The biggest advantage here is that they are not dumped like your average alphanumeric password in data breaches. That’s a problem for multiple reasons because an alarmingly high number of digital citizens reuse the same password, or a predictably modified form of it, across different services.

Passkeys are faster (up to 40%, according to Google), safer, and more convenient. But Hilligoss warns that they’re not exactly a silver bullet of digital safety. “Cybercriminals are rapidly adapting to this technology by shifting their focus from stealing account credentials to account recovery methods, developing tactics to steal passkeys and launching attacks such as session hijacking.”

Passkeys are good, but they aren’t perfect

Security expert Trevor Hilligoss.
Security expert Trevor Hilligoss SpyCloud

Hilligoss points to a technique called session hijacking — also known as cookie hijacking – where a hacker tries to take control of your online browsing session to steal sensitive data. Essentially, the bad actors fool a website into thinking that it’s a legitimate user. When a person visits a website, a session ID is created that often remains active for days.

This session data is stored in the form of numbers and letters in temporary session cookies, and it remains in the browser until the user is logged out. Hackers can steal session IDs by injecting scripts into web pages, intercepting the network traffic, deceptively installing malware on the victim’s device, or simply using pattern prediction.

“Once the attacker has hijacked a web session, they can do anything the original user can, including purchasing items, stealing confidential personal information, or accessing bank accounts,” Hilligoss adds. In such attacks, it doesn’t matter if the sign-in was allowed using a traditional password or passkeys.

What this all means for you

Logging into a Google account with passkeys on an iPhone.
Digital Trends

Passkeys are tied to Google Password Manager, while Apple brings the iCloud Keychain into the picture, which means passkeys are also synced across devices. By default, Google also automatically creates a passkey for freshly activated Android devices. However, as we leave behind passwords, hackers are also moving ahead with more sophisticated techniques.

Passkeys also won’t block other forms of cyberattacks, like malware deployment in varied forms, a scammer impersonating a bank official on a phone call (hello, generative AI hell), social engineering attacks, and more. Passkeys only solve one side of the security flaw, but they’re from being a cure-all trick.

Digital literacy is still going to be of paramount importance in the years ahead as third-party services slowly embrace passkey. Hilligoss suggests one should prefer app-based 2-factor authentication, keep changing passwords at regular intervals, double-check the URLs and links they receive, and stay vigilant about phone calls from unknown numbers.

“Proper cyber hygiene and exercising visibility into your online accounts will go a long way in staying ahead of cybercriminals,” he concludes.

Nadeem Sarwar
Nadeem is a tech and science journalist who started reading about cool smartphone tech out of curiosity and soon started…
Your Google News app is getting a subtle redesign. Here’s what’s changing
Google News on a Pixel 9 Pro.

Google continues to fine-tune its native apps on Android, this time with Google News. This follows the big redesign to Google Maps that happened earlier this year. So what’s new in Google News?

Basically, the newly redesigned Google News makes things simpler in terms of the bottom bar. Previously, there were four sections in that bottom navigation bar: For you, Headlines, Following, and Newsstand. The revamped version now combines For you and Headlines into a new Home tab, which acts as the default feed for content. The other two tabs -- Following and Newsstand -- still remain.

Read more
Google boosts Android security against unknown tracking devices
Unknown tracker alert for Android.

Google is adding a couple of new features to Android’s safety alert system that will help users find unknown trackers moving with them. The new features cover all tags and tracking devices that support Google’s Find My Device service for locating lost hardware.

The first one is Find Nearby. This one will help users locate any hidden tracker. For example, if your Android phone flashes an unknown tracker alert, you can check for its presence using the Play Sound feature.

Read more
Here’s how your Android phone could help stop your motion sickness
Someone holding the Google Pixel 9 with the screen on.

Motion sickness — also called kinetosis — is a common problem. In fact, as many as one in three people have felt sick while in a vehicle. For those who suffer from it, reading in the car is practically impossible.

Apple introduced a feature that helps those prone to motion sickness use their phones without the accompanying nausea. Now, Google is working on a similar feature for Android phones.

Read more