Jump to content
  • Should you protect your Google Account with a passkey instead of a password?

    alf9872000

    • 4 comments
    • 427 views
    • 5 minutes
     Share


    • 4 comments
    • 427 views
    • 5 minutes

    Last week, Google unlocked the ability to create passkeys to protect Google Accounts and to switch to using passkeys instead of passwords for protection. The question that Google customers may have is whether they should take the plunge and start using passkeys instead of the account password, or if they should wait a bit longer before they consider doing so.

     

    This guide explains the benefits and disadvantages of both authentication options so that all Google customers can make an educated decisions

    Protecting your Google Account with a password

    google-password.png

     

    Passwords are the dominating authentication option today. Users are allowed to select the passwords that they want to use and while there are some limitations usually, such as a minimum length or certain character requirements, users are free when it comes to selecting a password.

     

    This freedom is one of the greatest strengths but also issues when it comes to passwords. Easy to remember passwords are not secure, usually, while hard to remember passwords are secure, but not practicable, unless a password manager is used. There is also password reuse, the reusing of passwords at multiple services, and attacks that try to steal passwords or use brute-force methods to reveal them.

     

    Passwords, or their hashes, are stored by the service, as this is the only way to verify them when they are entered by the user during the login process.

     

    Companies have started to implement two-factor authentication options to improve the security. A second code needs to be provided by the user to gain access to the account. Codes may be created using apps or may be send to users via email or messages.

    While two-factor authentication improves the security of accounts, it makes things complicated for the user as it adds another step to the login process.

    Protecting your Google Account with Passkeys

    create-a-gmail-passkey.jpg

     

    Passkeys is a passwordless authentication standard. Passkeys are created automatically on the user's device during setup and some of the information never leaves the device.

     

    Sign-ins to services and apps require confirmation by the user; this is done using the device's PIN or other means, including biometrics. A password is never used, and all forms of verification happen locally.

     

    The entire process of signing-in to accounts is fast and it does not require a second verification step anymore. One of the main benefits of passkeys is that it renders attacks against passwords useless. Phishing, brute forcing or server break-ins can't be used anymore to uncover passwords, as these are not entered nor stored remotely.

     

    There are a few downsides as well. Support may be limited to certain operating system versions, web browsers or applications. Google passkeys, for example, require Windows 10 or higher, macOS Ventura, Chrome OS, iOS 16 or Android 9 on the operating system side. Browser support is limited to Chrome 109 or newer, Microsoft Edge 109 or newer, and Safari 16 or newer officially.

     

    Other browsers may work also, including Firefox, but these are not supported officially.

     

    The second issue is that passkeys are device specific. While syncing is possible in theory, most services and apps do not support this yet. Google account passkeys are device-specific, which means that you need to create them on any device that you use to totally switch from using passwords to passkeys.

     

    The Google account password is not removed, however.

    Passwords or Passkeys?

    Some Google users may not be able to use passkeys at all or only on some devices, because of the requirements.

     

    Protecting the Google account with a passkey improves security in several ways, and it is the upcoming standard that many online services will switch to.

     

    Most Google users benefit from switching to passkeys. Some may want to wait until syncing becomes available, especially if they use lots of devices.

     

    A Google password may still (need to) be used, for instance on devices that don't support passkeys or on public machines.

     

    Most Google customers may need to juggle between using password and passkeys for a while because of that.

     

    Secure passwords along with two-factor authentication, a good password manager, and the use of common sense protect the Google account sufficiently. Passkeys are an upcoming standard which promises to do even better, but it is in its early stages at this point.

     

    There is no definitive answer at this point. Google customers who use a single device are in the best position to switch to using passkeys. Those with multiple devices, browsers and maybe even accounts less so.

     

    Most password managers do not support passkeys yet, but many will introduce support in the coming months and years. NordPassDashlaneBitwarden1Password and even LastPass have added support for passwordless authentication or are about to.

    Support may vary, as some services added support for the password management service itself, while others plans to add options to store password data of other accounts using the password manager.

     

    Source


    User Feedback

    Recommended Comments

    Let's say everything is now using passkeys.  I'm on vacation.  I drop my phone in a river.  I buy a new phone.  How do I log into my accounts?  I am away from home and can't get to other devices.  I can't even access my plane ticket to get back home.  At least with passwords, I can remember enough of them to get going again.

    Link to comment
    Share on other sites


    @charlien
    Well, it's not quite like that, but anyone not any more better protected either. Rather less protected, even these passkeys can be stolen because they can be stored.
    But we can rejoice in the fact that in recent years the number of idiocies has begun to rise at an alarming rate. 
    So, there is a lot of joy.

    Edited by Kalju
    Link to comment
    Share on other sites


    @Kalju

    How is it not like that for the scenario I described?  I lose my phone.  I am not close to any other means of accessing stored passkeys.

     

    I use 1Password for passwords and they are about to roll out passkey storage very soon.  I talked with a member of their passkey team a few months ago, and he agreed that in my scenario, things would be difficult.  He felt that the various issuers of passkeys would have alternate methods to gain access.  I can't even regain access to 1Password because I need a secret code that is on a PDF safely stored at home.

     

    But again, I can't access email without a passkey.  I probably have a new phone number because I have a replacement phone.  They can't email the address on file because I can't access it.  They can't text the number on file because I can't access it.  How do I recover at least in the short term?

    Link to comment
    Share on other sites


    Agree. 

    I'm not saying that it can cause a lot of problems for the average user, and it's probably the case that you'll never be able to access your account again, but that's the case also now if to use a regular password and two-factor authentication. But in real life, neither of them are of any use, because no hacker needs any password or code. Therefore, the security increases only in the sense that a normal user can no longer access his account, only hackers have access.

    So I agree, it's absolutely pointless nonsense what they do.

    Link to comment
    Share on other sites




    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...