Google Announces Passkeys Adopted by Over 400 Million Accounts

Google on Thursday announced that passkeys are being used by over 400 million Google accounts, authenticating users more than 1 billion times over the past two years.

“Passkeys are easy to use and phishing resistant, only relying on a fingerprint, face scan or a pin making them 50% faster than passwords,” Heather Adkins, vice president of security engineering at Google, said.

The search giant notes that passkeys are already used for authentication on Google Accounts more often than legacy forms of two-factor authentication, such as SMS one-time passwords (OTPs) and app based OTPs combined.

In addition, the company said it’s expanding Cross-Account Protection, which alerts of suspicious events with third-party apps and services connected to a user’s Google Account, to include more apps and services.

Google is also expected to support the use of passkeys for high-risk users as part of its Advanced Protection Program (APP), which aims to safeguard people from targeted attacks because of who they are and what they do. This includes campaign workers and candidates, journalists, and human rights activists, among others.

While APP previously required using hardware security keys as a second factor, it will now allow enrollment with any passkey along with the hardware security keys, or use them as the only means of authentication.

Google added passkeys to Chrome in December 2022 and has since rolled out the passwordless authentication solution across Google Accounts on all platforms by default.

1Password, Amazon, Apple, Dashlane, Docusign, eBay, Kayak, Microsoft, PayPal, Shopify, Uber, and WhatsApp are some of the other prominent companies that have adopted passkeys.

The development comes on the same day Microsoft, which integrated passkeys in Windows 11 in September 2023, announced its plans to support the authentication standard for consumer accounts using biometrics or device PIN on Windows, Google, and Apple platforms.

Passkeys work by creating a cryptographic key pair, a private key that’s stored on the device and a public key that’s shared with the app or website for which the passkey will be used with.

“Because this key pair combination is unique, your passkey will only work on the website or app you created it for, so you can’t be tricked into signing in to a malicious look-alike website,” Microsoft’s Vasu Jakkal said.

Passkeys can also be stored on third-party password management solutions like 1Password and Dashlane, giving users more control over where they can be stored beyond Google Password Manager, iCloud Keychain, and Windows.

“Passkeys can act as a first- and second-factor, simultaneously,” Google product managers Sriram Karra and Christiaan Brand said. “By creating a passkey on your security key, you can skip entering your password. This replaces your remotely stored password with the PIN you used to unlock your security key, which improves user security.”

However, concerns are also being raised that passkeys are being used by companies as a way to “capture users and audiences into a platform” and that “corporate interests have overruled good user experience once again.”

“What better way to encourage long term entrapment of users then by locking all their credentials into your platform, and even better, credentials that can’t be extracted or exported in any capacity,” William Brown, a software engineer involved in the development of webauthn-rs, said.