Skip to main content
  1. Home
  2. Mobile
  3. News

Google is killing your passwords, and security experts are (mostly) happy

Nadeem Sarwar
By
Google account prompt explaining passkeys.
Digital Trends
Tech For Change
This story is part of Tech for Change: an ongoing series in which we shine a spotlight on positive uses of technology, and showcase how they're helping to make the world a better place.

Google is inching closer to making passwords obsolete. The solution is called “Passkeys,” a unique form of password that is stored locally on your phone or PC, just the way a physical security key works. The passkeys are protected behind a layer of authentication, which can be your fingerprint or face scan — or just an on-screen pattern or PIN.

Passkeys are faster, linked across platforms, and save you the hassle of remembering passwords for websites or services that you have subscribed to. There is a smaller scope for human error, and the risks of 2-factor authentication code interception are also reduced.

Recommended Videos

Developed in collaboration with Microsoft and Apple, Google is now taking the next steps to take passkeys mainstream by making them the default log-in option. You won’t be forced to ditch your usual log-in methods, but if you haven’t already enabled passkeys, you will be nudged the next time your Google account is used for a sign-in request.

Related

Why passkeys are better than passwords

Prompt for creating a passkey for a Google account.
Digital Trends

Passkeys employ what you would call a digital handshake, which involves creating a pair of passwords using cryptographic methods. One is stored with the app or web service, while the other one remains with the user, protected by an on-device password or biometric authentication. There is no two-factor code involved, and all you need to do is tap on a prompt on your device to allow the identity verification.

Trevor Hilligoss, who has previously worked as a security expert with the FBI and currently handles security research at SpyCloud, tells Digital Trends that passkeys are “strong by nature, and it’s why many security teams prefer this mode of defense.” The biggest advantage here is that they are not dumped like your average alphanumeric password in data breaches. That’s a problem for multiple reasons because an alarmingly high number of digital citizens reuse the same password, or a predictably modified form of it, across different services.

Passkeys are faster (up to 40%, according to Google), safer, and more convenient. But Hilligoss warns that they’re not exactly a silver bullet of digital safety. “Cybercriminals are rapidly adapting to this technology by shifting their focus from stealing account credentials to account recovery methods, developing tactics to steal passkeys and launching attacks such as session hijacking.”

Passkeys are good, but they aren’t perfect

Security expert Trevor Hilligoss.
Security expert Trevor Hilligoss SpyCloud

Hilligoss points to a technique called session hijacking — also known as cookie hijacking – where a hacker tries to take control of your online browsing session to steal sensitive data. Essentially, the bad actors fool a website into thinking that it’s a legitimate user. When a person visits a website, a session ID is created that often remains active for days.

This session data is stored in the form of numbers and letters in temporary session cookies, and it remains in the browser until the user is logged out. Hackers can steal session IDs by injecting scripts into web pages, intercepting the network traffic, deceptively installing malware on the victim’s device, or simply using pattern prediction.

“Once the attacker has hijacked a web session, they can do anything the original user can, including purchasing items, stealing confidential personal information, or accessing bank accounts,” Hilligoss adds. In such attacks, it doesn’t matter if the sign-in was allowed using a traditional password or passkeys.

What this all means for you

Logging into a Google account with passkeys on an iPhone.
Digital Trends

Passkeys are tied to Google Password Manager, while Apple brings the iCloud Keychain into the picture, which means passkeys are also synced across devices. By default, Google also automatically creates a passkey for freshly activated Android devices. However, as we leave behind passwords, hackers are also moving ahead with more sophisticated techniques.

Passkeys also won’t block other forms of cyberattacks, like malware deployment in varied forms, a scammer impersonating a bank official on a phone call (hello, generative AI hell), social engineering attacks, and more. Passkeys only solve one side of the security flaw, but they’re from being a cure-all trick.

Digital literacy is still going to be of paramount importance in the years ahead as third-party services slowly embrace passkey. Hilligoss suggests one should prefer app-based 2-factor authentication, keep changing passwords at regular intervals, double-check the URLs and links they receive, and stay vigilant about phone calls from unknown numbers.

“Proper cyber hygiene and exercising visibility into your online accounts will go a long way in staying ahead of cybercriminals,” he concludes.

Editors' Recommendations

Topics
Nadeem Sarwar
Nadeem Sarwar
Contributor
Nadeem is a tech journalist who started reading about cool smartphone tech out of curiosity and soon started writing…
Your iPhone has a secret feature that helps the environment — here’s how it works
iPhone 14 Pro showing Battery & Health

As Earth Day approaches, you may be wondering how you can help reduce your overall carbon footprint. You could use less disposable household items, get eco-friendly items instead, or drive an EV instead of a gas vehicle — there are plenty of ways to do your part.

But if you have an iPhone with iOS 16.1 or higher, you’re already contributing with a new feature Apple added called Clean Energy Charging. Here’s everything you need to know about how this eco-friendly charging option works.
What is Clean Energy Charging?

Read more
Your next Samsung phone might ditch Google Search for Bing
The screens on the Galaxy A54 and Galaxy S23 Ultra.

When you buy an Android phone, you expect Google Search to be installed out of the box as the default search engine. But that may not be the case when you buy your next Samsung phone. According to a report over the weekend, Samsung might abandon Google Search in favor of Bing as the default search engine for future Samsung Galaxy phones.

The possibility that Samsung is considering replacing Google Search with Bing on its smartphones sent Google into a "panic," according to the New York Times, Why? As the report explains, "An estimated $3 billion in annual revenue is at stake with the Samsung contract." If Samsung doesn't want to keep using Google for the default search engine on its phones, that's $3 billion per year Google will no longer get. And if Samsung decides it wants Bing instead of Google, who knows how many other companies will follow suit and do the same.
Why Samsung wants Bing over Google

Read more
Google is getting ready to kill your Fitbit account
A Fitbit Charge 5 displaying the home screen on a wearer opening a door.

If you're a proud and longtime Fitbit user, you'll notice something different about the Fitbit app later this year. Starting this summer, Google will now allow Fitbit users to migrate their existing Fitbit account to a Google account.

Google initially announced plans to do this last September, but it provided full details on the transition in a blog post on April 11. It'll work a little differently depending on who you are, but the gist is that Google is ready to start killing old Fitbit accounts and transition them to Google ones.
Your Fitbit account is going away in 2025

Read more