Shortly after last month’s announcement, Google has now rolled out PassKeys for Google Account supporting passwordless sign-in.
Google Account PassKeys Arrive For Passwordless Logins
According to a recent blog post from Christiaan Brand, Google’s Group Product Manager, and Sriram Karra, Senior Product Manager, the tech giant has now introduced passwordless authentication.
Dubbed “PassKeys”, the new feature enables users to sign-in to their accounts without typing passwords. This initiative rolled out just around the “World Password Day” (celebrated every year on first Thursday of May).
Google’s PassKeys is a passwordless authentication feature that will also work alongside regular passwords as 2FA. The tech giant claims that the technology behind this feature is resistant to phishing attacks and alike, and is more secure than OTPs.
Users can enable this feature via their Google Account settings, whereas the Google Workspace admins can also enable Passkeys for their end-users soon.
Are Passkeys Secure Enough?
Passwordless authentication is an idea advocated for long. And it drew attention worldwide when the World Economic Forum (WEF) stressed using this authentication strategy at the beginning of the COVID-19 pandemic.
Yet, experts suspect some inherent issues with things like PassKeys that contradict the true concept of passwordless sign-ins and the subsequent account security.
In a related discussion with LHN, Rob Griffin, CEO of MIRACLE, shared his thoughts,
“It has long been recognised that passwords are outdated and not secure enough for the needs of a modern business, so the move from Google to cut passwords can only be a good thing. If leading tech companies embrace a passwordless future it will make life significantly harder for the cybercriminals, and safer for businesses and individuals everywhere.
Nonetheless, he also highlighted two main issues that blur the glorifying concept of PassKeys.
First, Passkeys are really a cloud-based password manager and we have seen from Lastpass that password managers are inherently flawed. It is notable that there is no word on how the Passkeys are secured and why a cloud-based single repository of highly valuable credentials should be considered so much more secure.
Second, going passwordless alone is absolutely not enough. Pretty much everyone has had an account of theirs hacked, many of us multiple times. This is because dependency on a single factor alone leaves us tragically vulnerable.
With passwordless authentication apps like DUO and MIRACL, the idea of using PassKeys as a 2FA may be absurd.
As we shift technology away from passwords, we should be adopting technology that provides for passwordless multi-factor authentication. Here is where Passkeys fall short because essentially you can’t have your cake and eat it. Either you use them to get rid of passwords or you retain your password and all the grief that entails and use Passkeys as a layer on top. Not good enough!
Google has presently rolled out PassKeys as a 2FA method that will work in tandem with regular passwords. The firm justifies this act by explaining how it will take time for users to go passwordless with PassKeys.
It remains unclear if PassKeys is the passwordless authentication Google aimed for or if the tech giant has something cooking.
Nonetheless, given the huge userbase of Google Account and Google Workspace, such a move is appreciable as we expect more non-techie consumers to realize the need for deploying secure sign-in methods. Perhaps, it needs time to see where PassKeys leads in the coming days.
Let us know your thoughts in the comments.