In an exciting development, Google has revealed that passkeys, a passwordless authentication solution, are now being utilized by more than 400 million Google accounts. Over the past two years, these passkeys have authenticated users more than 1 billion times, marking a significant shift in the way people access their accounts.

Passkeys offer several advantages over traditional passwords. According to Heather Adkins, Vice President of Security Engineering at Google, passkeys are not only easy to use, but also phishing resistant. They rely on biometric authentication, such as fingerprints, face scans, or PINs, making them 50% faster than standard passwords.

Interestingly, passkeys have become the preferred method of authentication for Google Accounts, surpassing other legacy forms of two-factor authentication like SMS one-time passwords (OTPs) and app-based OTPs combined. This highlights the increasing popularity and efficiency of passkeys as a secure authentication method.

Additionally, Google has announced its plans to expand Cross-Account Protection, a feature that alerts users about suspicious activities related to third-party apps and services connected to their Google Account. This expansion is aimed at covering a wider range of apps and services, ensuring enhanced security for users.

Moreover, Google intends to extend passkey support to high-risk users as part of its Advanced Protection Program (APP). This program is designed to safeguard individuals from targeted attacks based on their profession or activities. Notable beneficiaries of this enhanced protection include campaign workers, journalists, human rights activists, and other potentially vulnerable individuals.

Previously, the Advanced Protection Program required the use of hardware security keys as a second factor for authentication. However, with the introduction of passkeys, users can now enroll with any passkey in combination with or without hardware security keys.

Google first introduced passkeys to its Chrome browser in December 2022 and has since expanded the passwordless authentication solution across all platforms for Google Accounts by default. Several other prominent companies, including 1Password, Amazon, Apple, Dashlane, Docusign, eBay, Kayak, Microsoft, PayPal, Shopify, Uber, and WhatsApp, have also adopted passkeys.

In a related announcement, Microsoft revealed its plans to support passkeys for consumer accounts on Windows, Google, and Apple platforms. Microsoft integrated passkeys into Windows 11 in September 2023 and will now allow authentication using biometrics or device PINs.

Passkeys work by creating a unique cryptographic key pair, with a private key stored on the device and a public key shared with the app or website for which the passkey will be used. This ensures that the passkey can only be used for the intended website or app, protecting users from potential phishing attempts.

Notwithstanding the positive reception of passkeys, concerns have been raised about their use by companies as a means to lock users into their platforms. Critics argue that this could limit user freedom and control over their credentials. William Brown, a software engineer involved in the development of webauthn-rs, expressed concerns over corporate interests overshadowing user experience.

With the increasing adoption of passkeys as a passwordless authentication solution, Google aims to provide a secure and convenient way for users to access their accounts while mitigating the risks associated with traditional passwords. As more users benefit from the ease and security of passkeys, their role in authentication methods is expected to grow further in the coming years.