Skip to main content

Google is killing your passwords, and security experts are (mostly) happy

Google account prompt explaining passkeys.
Digital Trends

Google is inching closer to making passwords obsolete. The solution is called “Passkeys,” a unique form of password that is stored locally on your phone or PC, just the way a physical security key works. The passkeys are protected behind a layer of authentication, which can be your fingerprint or face scan — or just an on-screen pattern or PIN.

Passkeys are faster, linked across platforms, and save you the hassle of remembering passwords for websites or services that you have subscribed to. There is a smaller scope for human error, and the risks of 2-factor authentication code interception are also reduced.

Developed in collaboration with Microsoft and Apple, Google is now taking the next steps to take passkeys mainstream by making them the default log-in option. You won’t be forced to ditch your usual log-in methods, but if you haven’t already enabled passkeys, you will be nudged the next time your Google account is used for a sign-in request.

Why passkeys are better than passwords

Prompt for creating a passkey for a Google account.
Digital Trends

Passkeys employ what you would call a digital handshake, which involves creating a pair of passwords using cryptographic methods. One is stored with the app or web service, while the other one remains with the user, protected by an on-device password or biometric authentication. There is no two-factor code involved, and all you need to do is tap on a prompt on your device to allow the identity verification.

Trevor Hilligoss, who has previously worked as a security expert with the FBI and currently handles security research at SpyCloud, tells Digital Trends that passkeys are “strong by nature, and it’s why many security teams prefer this mode of defense.” The biggest advantage here is that they are not dumped like your average alphanumeric password in data breaches. That’s a problem for multiple reasons because an alarmingly high number of digital citizens reuse the same password, or a predictably modified form of it, across different services.

Passkeys are faster (up to 40%, according to Google), safer, and more convenient. But Hilligoss warns that they’re not exactly a silver bullet of digital safety. “Cybercriminals are rapidly adapting to this technology by shifting their focus from stealing account credentials to account recovery methods, developing tactics to steal passkeys and launching attacks such as session hijacking.”

Passkeys are good, but they aren’t perfect

Security expert Trevor Hilligoss.
Security expert Trevor Hilligoss SpyCloud

Hilligoss points to a technique called session hijacking — also known as cookie hijacking – where a hacker tries to take control of your online browsing session to steal sensitive data. Essentially, the bad actors fool a website into thinking that it’s a legitimate user. When a person visits a website, a session ID is created that often remains active for days.

This session data is stored in the form of numbers and letters in temporary session cookies, and it remains in the browser until the user is logged out. Hackers can steal session IDs by injecting scripts into web pages, intercepting the network traffic, deceptively installing malware on the victim’s device, or simply using pattern prediction.

“Once the attacker has hijacked a web session, they can do anything the original user can, including purchasing items, stealing confidential personal information, or accessing bank accounts,” Hilligoss adds. In such attacks, it doesn’t matter if the sign-in was allowed using a traditional password or passkeys.

What this all means for you

Logging into a Google account with passkeys on an iPhone.
Digital Trends

Passkeys are tied to Google Password Manager, while Apple brings the iCloud Keychain into the picture, which means passkeys are also synced across devices. By default, Google also automatically creates a passkey for freshly activated Android devices. However, as we leave behind passwords, hackers are also moving ahead with more sophisticated techniques.

Passkeys also won’t block other forms of cyberattacks, like malware deployment in varied forms, a scammer impersonating a bank official on a phone call (hello, generative AI hell), social engineering attacks, and more. Passkeys only solve one side of the security flaw, but they’re from being a cure-all trick.

Digital literacy is still going to be of paramount importance in the years ahead as third-party services slowly embrace passkey. Hilligoss suggests one should prefer app-based 2-factor authentication, keep changing passwords at regular intervals, double-check the URLs and links they receive, and stay vigilant about phone calls from unknown numbers.

“Proper cyber hygiene and exercising visibility into your online accounts will go a long way in staying ahead of cybercriminals,” he concludes.

Editors' Recommendations

Nadeem Sarwar
Nadeem is a tech journalist who started reading about cool smartphone tech out of curiosity and soon started writing…
Google just announced 9 new features for your Android phone and watch
Samsung Galaxy S23 showing Google Photos

Google has announced some big new features coming to Android and Wear OS devices during the Mobile World Congress 2023 event in Barcelona, Spain. These new features are beginning to roll out starting today, February 27, with others to come later.
New Android features available starting February 27

Google Drive users will now be able to do freehand annotation on Android phones and tablets. This means you are now able to use a stylus or your fingers to annotate PDFs directly in the Google Drive app on Android.

Read more
Update your Google Pixel 7 now for three big security and audio features
Google Pixel 7 home screen with rainbow gradient wallpaper in light

Every few months, Google releases Feature Drops with new features and fixes for its Pixel phones. While 2022 may be nearly over, that hasn't stopped Google from pushing one final Feature Drop before the year ends.

This latest Feature Drop is primarily focused on adding features to the Pixel 7 and Pixel 7 Pro that Google announced in October when it first unveiled the phones. The first big addition is free Google One VPN access. Anyone with a Pixel 7 or 7 Pro can use a Google One-powered VPN at no additional cost — this is great for more secure web browsing. Considering Google's VPN is traditionally only available with a $10-per-month Google One subscription, it's a nice value add we're happy to see.

Read more
Google’s Android monopoly finds its biggest challenge, and Apple might be next
Apps screen on the Google Pixel 7.

The Competition Commission of India slapped Google with two hefty fines over anti-competitive strategies that have allowed it to dominate the mobile ecosystem in India. Totaling over $250 million, the penalties reprimand Google for forcing smartphone makers to avoid Android forks, prefer Google’s web search service, and pre-install popular cash cows like YouTube on phones.

Google was also disciplined for forcing its own billing system on developers that allowed the giant to take up to a 30% share of all in-app purchases for applications listed on the app store. Google is not really a stranger to titanic penalties; The EU handed Google a record-breaking fine of approximately $5 billion in 2018 for abusing its dominant market position — a penalty that was upheld in September this year following Google’s appeal.

Read more