Google has unveiled a massive update that marks “the beginning of the end” for using passwords to access Gmail accounts.
The web giant has begun rolling out its new password technology, which allows billions of users to log into websites and apps the way they unlock a device – with a fingerprint, face scan or a device PIN that can verify their identity.
The expectation is that the new type of online login will eventually replace passwords, although it will be some time before this happens because the technology is still in its infancy.
Experts say it will allow people to access their new passwordless credentials — or passkey — across devices.
This prevents them from having to re-login to each account on every device, reducing the risk of using easy-to-guess passwords and creating a more secure system.
Update: Google has begun rolling out its new password technology, which allows billions of users to log into websites and apps the way they unlock a device: with a fingerprint, face scan, or a device PIN that can verify their identity
Revolutionary: The new type of online login is expected to eventually replace passwords, although it will be some time before this happens as the technology is still in its infancy
The technology has also been rolled out in Apple’s iOS16 and latest MacOS release, while Microsoft has been running it through the Authenticator app.
WHAT ARE PASSWORD KEYS AND HOW DO I SET THEM?
Passkeys are a new way to sign in to apps and websites.
Tech giants say they are both easier to use and more secure than passwords, so users no longer have to rely on pet names, birthdays or the infamous “password123.”
Instead, people can sign in to apps and sites with a password the same way they unlock their devices: with a fingerprint, a face scan, or a screen lock PIN.
Follow the steps below to create one for your Google account:
1. Go to g.co/passwords
2. Enter your password to access your account
3. Click on ‘Create a password’
4. Select ‘Continue’ to set one for the device you are using, or ‘Use another device’ for another device
5. Place your fingerprint on your device as you normally would to unlock it and the access key will be created
Ebay, PayPal and Docusign already use the access code, along with a number of other companies.
It was created by the FIDO (Fast Identity Online) Alliance and the World Wide Web Consortium, with Google, Apple, and Microsoft as primary drivers.
The tech giants said the new system will allow people to do the same use a fingerprint or face scan authentication on their smartphone as a way to log into another nearby device, no matter what operating system or browser they use.
This is a feature already present on Apple devices where someone wearing an Apple Watch can unlock a phone or MacBook.
This reduces the need for people to remember a wide variety of username and password combinations to log into different services, which has often led to passwords being reused across multiple accounts.
Experts have previously warned that this is one of the biggest security risks in the digital world.
Users can create and save a passkey on any compatible device they use, such as iPhones running iOS16 and Android devices running Android 9.
They can also share it with other OS devices using services like iCloud or password managers like Dashlane and 1Password.
Go to to set one up g.co/passwords.
Enter your password to access your account, then click ‘Create a password’.
You’ll be prompted to select “Continue” to set one up for the device you’re using, or “Use a different device” for a different device.
Once you’ve done this, you’ll be prompted to put your fingerprint on your device as you normally would to unlock it, then the passcode will be created.
If at any time you suspect that someone else has access to your account, or if you lose the only device on which the access key is stored, you can revoke the access keys in the Google account settings.
The technology works by storing a cryptography private key on a user’s device, while a corresponding public key has been uploaded to Google.
Convenience: Experts say it will allow people to access their new passwordless login credentials — or passkey — across devices. This saves them from having to re-login to every account on every device (stock image)
When a user logs in, the device uses the private key to generate a signature once it solves a unique challenge.
This signature is in turn verified using the public key which then grants the user access to their account.
Google never sees the private key or biometric data used, only the generated signature and public key.
The internet giant says this prevents people from using phishing, SIM swap and other methods to obtain passwords or to circumvent existing authentication methods.
However, Google emphasizes that users should never create access keys on a shared device, because anyone who can open and unlock that device will then have access to your Gmail account.
“While passwords will stay with us for a while, they are often frustrating to remember and pose a risk if they get into the wrong hands,” Google said in its announcement.
“Last year we – along with FIDO Alliance, Apple and Microsoft – announced that we would be working to support passkeys on our platform as a simpler and more secure alternative to passwords.
And today we started rolling out passkey support in Google accounts across all major platforms.
“They will be an additional option that people can use to log in, in addition to passwords, 2-Step Verification (2SV), etc.”
Despite the rollout, Jake Moore, Global Cyber Security Advisor at ESET, said we’re still a long way from the end of the password.
But he added that “Microsoft, Google and Apple are at least trying to pave the way to make account access both secure and easy.”
“It’s not something that can be achieved overnight, but it highlights that more needs to be done when it comes to people’s password security.”
Andrew Shikiar, executive director of FIDO Alliance, said: “We are thrilled with Google’s announcement today as it dramatically changes password adoption, both because of the size of Google and the breadth of the actual implementation – which is essentially each google account allows holder to use keys.
“I also believe this implementation will serve as a good example for other service providers and will be a tipping point for accelerated password adoption.”
FIDO: PASSWORDLESS AUTHENTICATION FOR WEBSITES
Based on free and open standards from the FIDO Alliance, FIDO authentication enables password-only login through secure and fast login experiences across websites and apps
The FIDO protocols use standard public key cryptography techniques to provide stronger authentication.
When registering with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service.
Authentication is performed by the client device proving possession of the service’s private key by signing a challenge.
The client’s private keys can only be used after they have been unlocked locally on the device by the user.
Local unlocking is achieved through a user-friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second-factor device, or pressing a button.
The FIDO protocols were designed from the ground up to protect user privacy.
The protocols do not provide information that can be used by different online services to work together and track a user between the services. Biometric information, if used, never leaves the user’s device.