Google has declared the “beginning of the end” for passwords, with the rollout of passkeys as an alternative log-in method for Google account holders. Passwords are widely considered to be one of the weakest available online security options, but their ubiquity means they are unlikely to be phased out in the near future, security experts say.

Google rolls out passkey capabilities as a safer alternative to passwords. (Photo by Rawpixel.com/Shutterstock)

But the popularity of biometrics means passkeys and passwords are likely to exist in tandem for some time.

Google passkey rollout marks World Password Day

Google announced the rollout of passkeys to mark World Password Day. Passkeys use biometrics like fingerprints and facial scans to allow users to unlock their device and log in to their applications.

The passkey lives on the local device, and once it is inputted the application and the operating system will then swap a private key for a sign-in signature behind the scenes. A public key is generated for validation by the operating system and the user is granted access. 

This alternative has no credentials, rendering phishing attacks far less effective. It also does not demand the user remembers numerous secure passwords to access their apps, something which often leads to people deploying the same password across multiple platforms.

Google, along with fellow Big Tech businesses Apple and Microsoft have joined the Fast Identity Online (FIDO) Alliance to support this, having vocalised this partnership last year. Password alternatives such as biometrics, passkeys and multi-factor authentication (MFA) have been proven to be safe and popular. 

Google has already secured passkey relationships with applications like Docusign, Kayak, Shopify and Yahoo Japan. “This will be available as an option for Google Account users who want to try a passwordless experience,” Google said in a blog post entitled “The beginning of the end for the password”.

How popular are password alternatives?

But users on the whole remain wary of new security technology. Only 25% of respondents to a survey carried out by password management software vendor 1Password earlier this year are familiar with the notion of “passwordless”. Meanwhile, 38% said they need assurance that a new technology is safe before they try it and only 19% have said they will definitely use passkeys when they become available.

That said, 77% of those polled said they would love a more secure way to log into their online accounts, 91% are worried about falling foul of a data breach and one in four have what the report calls a “digital-security-related regret” where they wish they had responded better to a breach or created a better password. 

The more experimental among the users are the ones ready to embrace the new technologies, states 1Password, with 87% of their respondents who regularly use biometrics saying they are open to using passkeys. 

Passwords are here to stay

But ridding the internet of insecure passwords is still a distant dream says Mark Stockley, cybersecurity evangelist at Malwarebytes. “Passwords have had 60 years to worm their way into almost every computer system on the planet,” he says. “They’re easy for users to understand and use, and easy for organisations to implement.

“Until passkey authentication is widely used, widely understood and easier for developers to implement than passwords, and easy for organisations to support, people will still create products that rely on passwords, which is why the support of the tech giants is so important.” 

Google’s rollout of passkeys as a viable alternative is a massive step towards this wide use says Anna Pobletts, head of passwordless at 1Password. “Passkeys are the first authentication method that removes human error, delivering security and ease of use,” she says. “With Google turning on passkey support, 1.5 billion people around the world now have the opportunity to adopt passkeys.”

In order to be widely adopted though, users need the ability to choose where and when they want to use passkeys so they can easily switch between ecosystems. “As we actively work with other FIDO Alliance leaders to eliminate passwords, we’ll inevitably remove one of the phishers’ biggest rewards – credentials. This is a tipping point for passkeys and making the online world safe,” Pobletts adds.

Getting rid of passwords entirely would, in theory, make the cyber landscape much safer, says Andrea Napoli, product manager for the EMEA at security vendor Cato Networks. But he also doesn’t expect such a scenario to materialise any time soon.

“While biometric authentication methods such as fingerprint scanning, facial recognition, and iris scanning are becoming more widespread and MFA systems are increasingly common, passwords are still used widely because they are familiar, easy to implement, and relatively secure when used correctly,” Napoli says. New authentication technologies that have the capability of replacing passwords will definitely appear in the near future, he says, but any such technology would need to be highly secure and user-friendly to gain widespread adoption.

Read more: Google wants to turn your phone into a digital key