Google Brings Passkeys to Chrome and Android

Highlights:

• The development comes close after Apple and Microsoft made commitments to add more support for the establishment of standards for passwordless sign-in set by the FIDO Alliance and World Wide Web Consortium.
• SpyCloud says that after examining 1.7 billion combinations of usernames and passwords, the company found that 64% of people use the same password exposed in one breach for other accounts.

Security based on passwords is an oxymoron. Since more than 15 billion credentials have been leaked on the dark web and 54% of security incidents are caused due to credential theft, passwords aren’t a good way to keep the threat actors at bay.

The widespread exploitability of passwords has compelled many companies, including Google, Microsoft, Okta, and LastPass, to move toward passwordless authentication methods as part of the FIDO alliance.

In line with this vision of a world without passwords, Google announced that it would add passkeys to Chrome and Android. With this, users can create and use passkeys to sign into their Android devices. They can also save passkeys on their phones and computers and use them to sign in without a password.

For businesses, the establishment of passkeys to the Chrome and Android ecosystem will make it harder for hackers to get into their systems.

Using passkeys to stop the theft of IDs

The development comes close after Apple and Microsoft made commitments to add more support for the establishment of standards for passwordless sign-in being set by the FIDO Alliance and World Wide Web Consortium.

This move toward authentication without a password shows that security based on passwords is fundamentally ineffective. As users have to remember passwords for dozens of online accounts, credentials reuse is unavoidable.

SpyCloud says that after examining 1.7 billion combinations of usernames and passwords, the company found that 64% of people use the same password exposed in one breach for other accounts. Getting rid of passwords completely makes it less likely that your credentials will be stolen, making social engineering attempts less effective.

In the announcement blog post, Diego Zavala, a product manager for Android, and Christian Brand, a product manager for Google, Ali Naddaf, a software engineer for Identity Ecosystems, and Ken Buchanan, a software engineer for Chrome, said that “passkeys are a significantly safer replacement for passwords and other phishable authentication factors.”

The post said, “[Passkeys] remove the risks associated with password reuse and account database breaches and protect users from phishing attacks. Passkeys are built on industry standards and work across different operating systems and browser ecosystems and can be used for both websites and apps.”

It’s noteworthy that users can back up and sync their passkeys to the cloud, so they won’t be locked out if they lose their device. Google also said that it would allow developers to add passkey support on the web through Chrome and the WebAuthn API.

The passwordless authentication industry

With social engineering and phishing threats dominating the security landscape, there is a growing interest in passwordless authentication solutions. Researchers forecast that the market for passwordless authentication will increase from USD 12.79 billion in 2021 to USD 53.64 billion by 2030.

As the demand for passwordless authentication increases, more service providers are experimenting with reducing their reliance on passwords. For example, Apple now supports passkeys so that users can log in to apps and websites via Face ID or Touch ID, without a password, on iOS 16 and macOS Ventura devices.

On the other hand, Microsoft is concurrently exploring its passwordless authentication options – Windows Hello for Business (biometric and PIN) and Microsoft Authenticator are examples (biometric touch, face, or PIN). Both provide enterprises with passwordless user authentication options that integrate with popular applications such as Azure Active Directory.

As it is being adopted vastly, suppliers will be faced with the growing pressure to offer increasingly accessible passwordless authentication methods or risk falling behind.