Google Announces Support for Account Passkeys

[MacRumors]

Google today announced that it is introducing support for passkeys, providing an easier and more secure login method for Google accounts. Apple integrated passkeys into iOS with the launch of iOS 16, and it is also available in iPadOS 16.1 and later as well as macOS Ventura.

Passkeys are an industry standard developed by the FIDO Alliance and the World Wide Web Consortium, so Google's passkey integration will work on Apple devices as well as on other devices that support the feature. As Google notes:

Last year — alongside FIDO Alliance, Apple and Microsoft — we announced we would begin work to support passkeys on our platform as an easier and more secure alternative to passwords. And today, ahead of World Password Day, we've begun rolling out support for passkeys across Google Accounts on all major platforms. They'll be an additional option that people can use to sign in, alongside passwords, 2-Step Verification (2SV), etc.

Passkeys are both easier to use and more secure than passwords because they let users sign in to apps and sites the same way they unlock their devices: With a fingerprint, a face scan or a screen lock PIN. Passkeys are also resistant to online attacks like phishing, making them more secure than things like SMS one-time codes.

To create a passkey, Google users can log in to their Google account and then choose the "Create a passkey" option. Passkeys on iOS and Mac devices sync with iCloud Keychain for security purposes, and logins are authenticated with Face ID or Touch ID. This protects you from being locked out of your account in case you lose your devices, and makes it easier for you to upgrade from one device to another.

Google says the switch to passkeys will take time, which is why traditional passwords and two-step verification will still work for Google Accounts.

Google is just one of several companies to implement support for passkeys in recent months, with other supporting apps and websites including PayPal, Best Buy, eBay, Dashlane, and Kayak.

Article Link: Google Announces Support for Account Passkeys

 

[anshuvorty]

Let’s go!!! Let’s get rid of these freakin passwords!!

 

[Telemakhos]

So, with Passkeys tied to an already authenticated login on a device I control, how do I log in to my Google account on a device I do not control, like a work computer or a university lab computer? Do passwords still work for that?

 

[mystery hill]

I just created a passkey for my Google account.

A passkey can be set as the default method for signing in, but it’s not possible to completely remove the password for a Google account yet.

If you’re getting an error when trying to create the passkey, then switch off your ad blocker.

 

[mystery hill]

So, with Passkeys tied to an already authenticated login on a device I control, how do I log in to my Google account on a device I do not control, like a work computer or a university lab computer? Do passwords still work for that?

You would scan the QR code displayed on the device you don’t control. It will authenticate using the passkey stored in your phone’s keychain.

 

[VulchR]

....

If you’re getting an error when trying to create the passkey, then switch off your ad blocker.

Hmmm....

 

[yurc]

It's better than vanilla password, at least.

Also, time to enjoy comment section from now on, because any Google related news on MR "muh security privacy etc 🤣"

 

[gmanist1000]

Created a passkey on my Google Account and synced with iCloud Keychain, and trying to sign into Chrome using the Passkey. The QR code pops up for sign-in, cool, I use my iPhone to scan the code, and it says "no passkeys found for google.com" and it doesn't let me choose the account that has it set up..... guess I'll not use this until it's baked a little more..

 

[iSepp]

Created a passkey on my Google Account and synced with iCloud Keychain, and trying to sign into Chrome using the Passkey. The QR code pops up for sign-in, cool, I use my iPhone to scan the code, and it says "no passkeys found for google.com" and it doesn't let me choose the account that has it set up..... guess I'll not use this until it's baked a little more..

This works for me.

 

[ignatius345]

I use 1Password for everything, and set up two-factor auth for any site I can do it for.

I haven't dipped my toe into any passkeys yet, but I'll start with something low stakes like Kayak or whatever before I start messing around with my Google account -- especially since it's sounding like there are some rough edges here.

 

[cocky jeremy]

Macrumors going to add this option for themselves?

 

[RogerWilco]

It may be more convenient, but is Face ID access really more secure than a password+2FA? It’s easy to think of scenarios that defeat fingerprint or Face ID.

 

[Will Co]

Let’s go!!! Let’s get rid of these freakin passwords!!

Right? Why are so few websites supporting this stuff. Everyone should be all over this by now....

 

[mystery hill]

It may be more convenient, but is Face ID access really more secure than a password+2FA? It’s easy to think of scenarios that defeat fingerprint or Face ID.

Face ID isn’t required. You can use a device passcode to authenticate with passkeys.

Face ID would be a better option as it would prevent someone seeing your passcode or it being captured by security cameras when you’re typing it in.

Passkeys are not just more convenient, they’re more secure also.

 

[jimbobb24]

I already celebrate world password day 256 days of the year- hardly seems necessary to give it one more day.

 

[Apple a Day]

Face ID isn’t required. You can use a device passcode to authenticate with passkeys.

Face ID would be a better option as it would prevent someone seeing your passcode or it being captured by security cameras when you’re typing it in.

Passkeys are not just more convenient, they’re more secure also.

My question is if Face ID isn’t required and a passcode can be used doesn’t this fall right back into the security vulnerability we’ve heard recently where Face ID can be bypassed and a passcode can be used to access keychain? Since passkeys are saved in keychain can’t they be accessed using this method? It seems to me the bypassing of Face ID is the crux of the existing security flaw.

 

[Cromulent]

This is great news. The more websites that support this, the better.

 

[4nNtt]

I use 1Password for everything, and set up two-factor auth for any site I can do it for.

I haven't dipped my toe into any passkeys yet, but I'll start with something low stakes like Kayak or whatever before I start messing around with my Google account -- especially since it's sounding like there are some rough edges here.

Not really... You can't lose access if you lose access to your iCloud Keychain since Google still allows password + 2FA to work in their implementation. You will always have a backup login.

 

[jonblatho]

It may be more convenient, but is Face ID access really more secure than a password+2FA? It’s easy to think of scenarios that defeat fingerprint or Face ID.

The underlying technology isn’t Face ID, it’s public-key cryptography, which is much more secure than any password-based authentication will ever dream of being because it fully eliminates the concept (read: problem) of shared secrets.

The underlying technology is much more secure and the user experience is both about as secure and definitely more convenient. If someone’s able to defeat a user’s biometric auth methods, they’re likely also able to access the user’s passwords and 2FA codes in most password manager setups. Also, for many people, biometrics even with the possibility of defeat are likely more secure than the passwords they choose, the fantastic user experience of TOTP codes notwithstanding.

 

[akashagrawal]

My question is if Face ID isn’t required and a passcode can be used doesn’t this fall right back into the security vulnerability we’ve heard recently where Face ID can be bypassed and a passcode can be used to access keychain? Since passkeys are saved in keychain can’t they be accessed using this method? It seems to me the bypassing of Face ID is the crux of the existing security flaw.

If your face-id or device passcode gets compromised, yeah, your passkeys may get compromised too. That's not the problem passkeys are trying to solve, though. In your scenario, an attacker will only gain access to your accounts.

Right now, most website servers store hashes of passwords for all their users, and attackers can use different techniques (like rainbow tables) to convert them to actual passwords. This is what passkeys are trying to eliminate.

Your passkey is made up up private and public key. The private key never leaves your devices, and never gets stored on, say, facebook.com's servers. So even if someone hacks facebook.com's servers and gets billions of users' public keys, they don't have jack **** because you need private keys to authenticate fully.

In simpler words, passkeys don't eliminate threat to your device passwords. They're eliminating large scale data breaches on companies' servers.

 

[housemeisterB]

I did set it up with my 3 google accounts but it only seems to work with the first one I set it up with. Does it go by the domain instead of the username?

 

[mystery hill]

So even if someone hacks facebook.com's servers and gets billions of users' public keys, they don't have jack **** because you need private keys to authenticate fully.

If someone breaches Facebook servers, they could access all Facebook data, without needing any individual user’s credentials.

 

[Apple a Day]

If your face-id or device passcode gets compromised, yeah, your passkeys may get compromised too. That's not the problem passkeys are trying to solve, though. In your scenario, an attacker will only gain access to your accounts.

Right now, most website servers store hashes of passwords for all their users, and attackers can use different techniques (like rainbow tables) to convert them to actual passwords. This is what passkeys are trying to eliminate.

Your passkey is made up up private and public key. The private key never leaves your devices, and never gets stored on, say, facebook.com's servers. So even if someone hacks facebook.com's servers and gets billions of users' public keys, they don't have jack **** because you need private keys to authenticate fully.

In simpler words, passkeys don't eliminate threat to your device passwords. They're eliminating large scale data breaches on companies' servers.

Thank you for the detailed response. I understand now.

 

[akashagrawal]

If someone breaches Facebook servers, they could access all Facebook data, without needing any individual user’s credentials.

That was just an example off the top of my head. But even if they get your info, passwords are still a goldmine, because a lot of people use the same password on multiple site. So an attacker with your email and password may try it on other popular sites, and there's a high chance it'll work (for a larger percentage of audience).

To look at actual data breaches, visit https://haveibeenpwned.com/. It also lets you search for your own emails and passwords to see if you're part of any breach.

 

[TruthWatcher412]

So will this work with something like 1Password too?