Originally posted on theverge.
Your Google account now supports passkeys to replace your password and 2FA.
Google’s next step into a passwordless future is here with the announcement that passkeys — a new cryptographic keys solution that requires a preauthenticated device — are coming to Google accounts on all major platforms. Starting today, Google users can switch to passkeys and ditch their passwords and two-step verification codes entirely when signing in.
Passkeys are a safer, more convenient alternative to passwords being pushed by Google, Apple, Microsoft, and other tech companies aligned with the FIDO Alliance. They can replace traditional passwords and other sign-in systems like 2FA or SMS verification with a local PIN or a device’s own biometric authentication — such as a fingerprint or Face ID. This biometric data isn’t shared with Google (or any other third party), and passkeys only exist on your devices, which provides greater security and protection since there’s no password that could be stolen in a phishing attack.
Google accounts will request your passkey to sign in or verify your identity when it detects sensitive activity
When you add a passkey to a Google account, the platform will start prompting for it when you sign in or when it detects potentially suspicious activity that requires additional verification. Passkeys for Google accounts are stored on any compatible hardware — such as iPhones running iOS 16 and Android devices running Android 9 — and can be shared to other devices from the OS using services like iCloud or password managers like Dashlane and 1Password (expected to arrive in “early 2023”).
You can still use someone else’s device to temporarily gain access to your Google account. Selecting the “use a passkey from another device” option creates a one-time sign-in and won’t transfer the passkey over to the new hardware. As Google notes, you should never create passkeys on a shared device because anyone that can access and unlock that device would be able to access your Google account.
Users can immediately revoke passkeys in the Google account settings if they suspect that someone else can access the account or if they lose the only device that stored the passkey. Google says that users enrolled in its Advanced Protection Program, a free service that provides additional security protections against phishing and malicious apps, can choose to use passkeys in lieu of their usual physical security keys.