Google is the latest tech company to expand support for passwordless authentication by rolling out passkeys for users. Google’s implementation will let users use biometric authentication to access their Google Accounts without first requiring a username and password, or a form of multi-factor authentication.
Passkeys are private cryptographic keys based on the FIDO Alliance FIDO2 spec, which implements the World Wide Web Consortium’s (W3C) Webauthn standard. Google’s rollout comes one year after it committed to implementing the FIDO Alliance’s passwordless specification. Passkey support for Android and the Chrome browser allowed users to authenticate to websites that supported passkeys, such as Best Buy, CVS Health, Kayak, Shopify, Paypal and Yahoo! Japan. But it wasn’t until this latest update that users could use passkeys with Google’s own online services, including Gmail.
“We want the world to move away from passwords to passkeys,” Google’s Identity and Security product manager Christiaan Brand said during a session at last week’s RSA Conference in San Francisco. “We are literally at the point where mass transitioning away from passwords to passkeys can start to happen.”
Apple was the first of the big three – Apple, Google, Microsoft – to implement passkey support in its products when it added the capability to iOS 16 for iPhones and iPads. Support for passkey authentication in macOS Ventura and Apple’s Safari browser came a few months later. However, Apple doesn’t yet support authentication to its app store or other online services with passkeys.
Microsoft has promised passkey synchronization with Windows this year, though company officials haven’t said when or in what form it will arrive. At the moment, Apple is the only platform provider that enables the synchronization of passkeys across its different client environments -- iOS, macOS and Safari devices via iCloud Keychain.
Slow But Steady Adoption
Experts say it will be years before passkeys become a mainstream form of authentication replacing passwords and MFA. Andrew Shikiar, executive director of the FIDO Alliance, said he is pleased with the progress during the past year.
“We’re seeing good early adoption,” Shikiar said, speaking during “The State of Authentication 2023: The Global Progress Past Passwords” breakout event last week in San Francisco. “The fact of the matter is, passwords are an outdated way of doing user authentication that leads to all sorts of problems.”
Among those problems, he said, were fraud, phishing, and account takeovers, and it also leads to opportunity cost, [such as] shopping cart abandonment. According to a survey fielded by the FIDO Alliance, 60% of consumers abandoned shopping carts because they forgot their passwords.
The FIDO Alliance released the results of its latest survey in a report posted on Thursday, May 4, which showed that end users are more open to using passkeys than last fall. According to the report, 57% of U.S. consumers would like to use passkeys to replace passwords, compared with 39% last October.
The survey also showed that about 65% of those who prefer biometrics to authenticate would like to use passkeys. Among those still prefer passwords, 45% expressed interest in using a passkey. “This is another clear signal telling us that consumers want less friction and greater ease of signing into their online accounts,” Shikiar noted in a blog post.
Password Managers Are On Board
On the surface, ubiquitous integration of passkeys would obviate the need for password managers and single sign-on providers. But companies such as 1Password, Dashlane and Okta are all active board members and contributors to the FIDO Alliance.
1Password said it plans to release a beta version of its password manager with an extension that supports passkeys next month. Jeff Shiner, 1Password’s CEO, believes Google’s latest move will boost the use of passkeys. “We have been waiting for one of the big players like a Google or YouTube to come along and be the tipping point,” Shiner tells Dark Reading.
Dashlane offers a passkey extension to its password manager.
Okta last fall announced it would release passkeys by the end of the second quarter for its newly branded Customer Identity Cloud for Consumer Apps. “We are very bullish about it,” said Okta principal architect Vittorio Bertocci. “As soon as passkeys came out, we made them available in our lab environment, and I think we will end up being among the first to have a viable, sophisticated offering for developers.”