In the year since Google started offering passkeys, over 400 million accounts have adopted the password-less login option.
The search giant revealed the stat on World Password Day, an annual event meant to remind people to use strong passwords — or what’s become an antiquated security approach in the tech world. To improve account security, tech giants like Google are urging users to embrace passkeys, a new login method that’s harder for hackers to break and exploit.
One big question is whether users are actually adopting passkeys. In a Thursday blog post, Google says the answer is yes, especially after the company began nudging users to adopt them in October. Passkeys have been used "to authenticate users more than 1 billion times across over 400 million Google Accounts," says Google VP for Security Engineering Heather Adkins.
(Credit: Google)Google currently protects "2.4 billion accounts across 3.4 million apps and sites," Adkins adds. So it sounds like over 16% of the company's user accounts have adopted the passkey option, which is also replacing traditional multi-factor authentication methods for logins.
"In fact, on a daily basis passkeys are already used for authentication on Google Accounts more often than legacy forms of 2SV (two-step verification), such as SMS one-time passwords (OTPs) and app based OTPs (such as Authenticator apps) combined,” Adkins writes.
The company announced the milestone as other companies—including Amazon, Apple, and various password managers—have also rolled out passkey support to their users.
The login method essentially phases out old-school passwords for more of a smartphone-like experience when signing into your accounts: On the surface, a passkey lets you log into a website or app using a fingerprint, facial scan, or by simply typing in a PIN. In the background, a private encryption key on your hardware, whether it be a PC or smartphone, will then unlock access, without exchanging any sensitive login credentials over the internet.
It’s why Google describes passkey technology as “phishing resistant” since the private encryption keys are bound to the user’s device, unlike a traditional password, which can be transmitted over the internet or guessed. In addition, users are spared from having to remember long and unique passwords.
That said, passkeys aren't perfect. Although Google, Apple, and Microsoft all support the technology, passkeys on one platform can’t be easily shared on another. As a result, Apple, Google, and Windows devices need to store and maintain separate passkeys for logins.
Google users can sign up for the passkey option on g.co/passkeys. To expand passkey use, Google is also preparing to offer the login method to users of its Advanced Protection Program (APP), the company’s strongest security offering.
"APP traditionally required using hardware security keys as a second factor; but soon users can enroll in APP with any passkey in addition to their hardware security keys; or use their passkeys as a sole factor or along with a password,” Adkins says. “In a critical election year, we’ll be bringing this feature to our users who need it most.”