For many years, passwords have been one of the weakest links in IT security – yet most online services are still heavily reliant on them.

Every week we hear examples of passwords being leaked or brute force attacks breaking into accounts with weak passwords, underlining just how much of a problem they can be.

So a recent update rolled out by Google should be of interest to anyone who wants to better protect their account. Users now have the option of securing their account with a ‘passkey’ instead of a password.

What is a passkey?

Passkeys are best explained by describing the new logon process:

  • A person types their user name into the Google account logon form
  • A push notification arrives on their smartphone asking to confirm their logon attempt.
  • The user clicks yes and their phone’s built-in ID recognition system confirms their identity
  • The logon completes and the user can access their Google account

The passkey is the user’s face (or fingerprint depending on their smartphone’s capabilities). In some cases, users may be asked to enter the PIN unlock code for their phone instead.

Is this not just 2FA?

The process sounds a little like two factor authentication (2FA) whereby a email or text message is sent to the user containing a code that must be entered during logon.

The difference is that users do not have to remember any additional login details or wait for a code – they don’t even have to type anything else to complete login because their passkey is submitted automatically.

As hackers get smarter, 2FA has proven to be increasingly insecure. That is why passkeys provide a more secure alternative for Google account holders.

Is this the end of the passwords?

Google has been clear that they will eventually phase out passwords completely. However, passkeys remain optional for now, users do not have to make the switch yet. In fact, it may take several years until Google goes fully passwordless.

Why the delay?

Everyone knows how to use passwords – they are completely ingrained in internet culture. And tools like Panda Dome Passwords make it easy to store and access complex passwords that are very hard to guess or crack.

Replacing passwords with passkeys will require a huge cultural shift – and significant re-work by service providers to support the technology. Given that most users only recognize facial awareness and fingerprint authentication in relation to unlocking their phones, it may take some major retraining to convince them to do the same for their online accounts. 

However it plays out, passwords will eventually be retired. Google has sent out an early statement – now they need other providers to follow suit to drive mass adoption.