Passkeys becoming a safe alternative to passwords: Google vice president

Functionality will be available for general users of company's app store and browser later this year

Move over, passwords. Passkeys are a safer alternative. They provide better protection against phishing attacks, said Google’s Vice-President Parisa Tabriz on Thursday.

The technology giant recently introduced the passkey feature for the Android operating system and the popular web browser Google Chrome. The new functionality was launched for members of Google Play Services Beta and Chrome Canary, while it will be available to general users later this year, the company had said on October 12.

A passkey is a digital credential, linked with the user account and a website or application (app). It allows users to authenticate without entering a username, password, or providing any additional authentication factor. The technology aims at replacing legacy authentication mechanisms such as passwords.

Users can create and use passkeys on Android devices, which are securely synced through the Google Password Manager. Developers can build passkey support on their sites for end-users using Chrome via

Web Authentication API (also known as WebAuthn) — a web standard published by the World Wide Web Consortium — on Android and other supported platforms.

Passkeys work across different platforms and browsers, including Windows, macOS and iOS, and ChromeOS, with a uniform user experience.

Tabriz, who heads engineering, product, and design at Google Chrome, said passkeys could bring a safer alternative to passwords as they cannot be reused, do not leak in server breaches, and protect users from phishing attacks.

She added that nearly half the workers spend the greater part of their work day on browser-based software apps, making it crucial to protect browsers.

“More than 5 billion devices are automatically protected by Google Safe Browsing worldwide. We are also providing APIs for helping other browsers protect their users.”

Passkeys are built on industry standards and work across different operating systems (OS) and browser ecosystems, and can be used for both websites and apps.

Tabriz said the autofill password, along with existing device screen locks, such as the fingerprint to confirm login, may significantly bring down the number of phishing incidents.

“Some of what we are building in Chrome is autofill the password. We still have ways to grow, but we have improved the autofilled features. We have also recently launched virtual credit numbers, which replace the physical card number with a unique virtual card number for protecting online payments,” said Tabriz.

She said cybersecurity threats, including phishing attacks, were rising in recent times, since the beginning of the Russia-Ukraine conflict.

“Google has also introduced a free defence programme called Project Shield, under which over 200 Ukrainian websites have been protected from denial-of-service attacks. Global ransomware damages are expected to exceed $30 billion by 2023. Asia is one of the worst-impacted regions with 26 per cent of global attacks directed towards Asia,” said Tabriz.

Google has also introduced the Chrome vulnerability reward programme to find security bugs present in its system. More than 500 security-related bugs have been reported as of now, while 696 researchers have received rewards worth $8.7 million for finding out vulnerabilities.

“We cannot completely eliminate bugs from our systems, but we continuously reduce them as we launch the newer version of Chrome,” added Tabriz.

Why Passkeys score 

• A password uses a string of characters for identification, while passkeys are built on the Web Authentication standard, which uses public-key cryptography
• Instead of creating a password for an account, the device creates a unique pair of mathematically related public and private keys
• With passkeys, users can identify themselves using fingerprint or facial recognition – or a PIN or swipe pattern
• The passkeys are generated by the device – and not users – securely and uniquely, for every account
• The public key is stored on the server and allows the website or app to verify your account after receiving a matching private key
• Unlike passwords, users do not need to remember passkeys
• Passkeys offer a single implementation for a passwordless experience across different platforms