Google launches 1B passkey authentications and new security updates

Google LLC today announced new updates on passkey and cross-account protection, along with sharing some metrics about where passkeys stand in terms of uptake and adoption.

Passkeys are a phishing-resistant authentication method that allows users to log in securely using services such as fingerprints, face scans or PINs as an alternative to traditional passwords. As passkeys use biometric authentication or a device PIN, they provide a more secure and convenient login method that does not involve memorizing traditional text-based passwords.

Google introduced passkey support for developers of Android and Chrome in 2022, and a year later it started prompting users to set up a passkey by default. The key to passkeys is that they are more secure than passwords because they’re not human-readable, so they cannot be stolen through phishing attacks.

For the first time today, Google has revealed that passkeys have now been used to authenticate users more than 1 billion times across over 400 million Google accounts, with the majority of users saying that using passkeys is easier and safer than passwords.

Since launching support for passkeys in 2022, Google has also seen its list of partners grow: Amazon.com Inc., 1Password Inc., Dashlane Inc., Docusign Inc., Kayak Software Corp., Mercari Inc. and Shopify Inc. have rolled out Passkey support in the last 12 months, joining early adopters eBay Inc., Uber Technologies Inc., PayPal Holdings Inc. and WhatsApp LLC. The adoption by password manager vendors such as 1Password and Dashlane is noted as a milestone in ongoing efforts to realize a central design goal to give users control over how to store and manage their passkeys across platforms.

With the adoption of passkeys going well, Google announced that it’s expanding the use of passkeys to its Advanced Protection Program. The APP was launched in 2019 and designed to protect the Google accounts of individuals who are likely to be on attackers’ hit lists, including information technology administrators, company executives and employees in “security-sensitive” industries such as finance or government.

Until now, APP enrollment has required the use of hardware security keys as a second factor, but soon, users will gain the option to enroll with any passkey in addition to using their hardware security keys. APP users will also have the choice to use their passkeys as a sole factor or along with a password. Google claims that the expanded passkey support will help reduce the barrier of entry to the APP while still providing phishing-resistant authentication.

Google also announced that it’s expanding Cross-Account Protection with additional collaborations across the industry. Also launched in 2019, Cross Account Protection was designed to provide better protection for Google users against hackers, including mitigating the amount of harm attackers can do if they somehow get access to a Google account.

With the expansion, Google will share security notifications about suspicious events on a user’s Google account with the non-Google apps and services they use. Doing so will allow other apps and services connected to a Google Account to use its security information to better protect accounts.

The benefits of sharing the data are critical, according to Google, since cybercriminals often use an initial entry point as a foothold to gain access to additional, linked accounts. Cross-Account Protection is based on the industry standard Shared Signals Framework.

Photo: Bored Panda