Why passkeys might be the solution

Password-based authentication is vulnerable to phishing attacks


Google recently introduced a password replacement method called ‘passkeys’ for its personal account holders. A passkey allows authentication with fingerprint ID, facial ID or PIN on the device rather than the user ID-password combination. Google is nudging people to convert their traditional username and password login to a passkey, as it is safer and more convenient.

Password-based authentication, which has long been standard across computing, is vulnerable to phishing attacks. On the other hand, passkey is designed to address phishing attacks by relying on a model that uses cryptographic keys stored on your devices for authentication. The three most prominent OS makers―Microsoft, Google, and Apple―are part of the industry association known as the FIDO Alliance, which has been promoting passkeys.

To create the passkey for your Google account, go to g.co/passkeys, log in with your username and password, and then click “+ Create a passkey”. You should do it on a personal device that only you control. Passkeys can sync between your devices through end-to-end encrypted services like Google Password Manager and iCloud Keychain. Or you can set up passkeys on multiple devices by generating a QR code on a device that’s logged in to your Google account.

All your Google account passkeys are listed on the “Passkey Management Page,” where you can manage them. You can store a passkey for your account on the device of someone you trust as a recovery option. And you can still use someone else’s device to temporarily gain access to your Google account by creating a one-time sign-in.