Google accelerates shift to passkeys to combat rising cyber threats and scams

Amid a surge in global scams and sophisticated AI-driven cyberattacks, Google is intensifying its push for Gmail users to adopt passkeys, aiming to strengthen authentication and reduce password-related vulnerabilities.

Google is intensifying its push for Gmail users to abandon passwords in favour of passkeys, amid rising global scams and sophisticated AI-driven cyber threats. The company highlights that scams remain a persistent global issue, with transnational criminal groups increasingly targeting users via phishing emails, malicious texts, and fraudulent calls in attempts to steal credentials for financial gain. According to Google, 57% of adults have encountered scams in the past year, and 23% have suffered monetary losses. These escalating dangers come as organised crime syndicates, including Chinese cyber gangs, exploit AI tools to scale and refine their schemes.

Google initially recommended switching from passwords to passkeys in 2023, positioning passkeys as a more secure alternative rather than responding to any specific breach. The company emphasises that passkeys verify account access by confirming possession of and unlocking a user’s device, thereby defending against phishing and risks associated with reused or exposed passwords. Although reports have circulated about large compilations of breached Gmail credentials, such as one listing 394 million unique Gmail addresses, Google urges users to adopt passkeys for stronger protection. The move aligns with similar recommendations from Microsoft, which advises users to eliminate passwords entirely.

Passkeys are now integral to Google’s authentication ecosystem, enabling users to bypass both passwords and two-step verification when signing in. Google has reported a 352% increase in passkey adoption in the past year, driven by the security and convenience they offer. The company also plans to monitor sign-ins that fall back on passwords more closely, aiming to tighten security further. Google accounts serve as a Single Sign-On (SSO) platform for many users, granting access to numerous services, which magnifies the consequences of compromised credentials. Industry data from NordPass reveals that Google powers nine out of ten SSO options on the most visited global websites, while 86% of basic web app attacks exploit stolen credentials. Consequently, Google’s promotion of passkeys addresses a critical vulnerability in online security.

This transition is part of a broader move by Google to establish passkeys as the default sign-in method, announced last October. Passkeys allow users to authenticate using biometrics or a PIN, eliminating the need for traditional passwords and delivering a more user-friendly and phishing-resistant experience. Updates have extended the flexibility of passkeys across a wide range of devices, with Google Password Manager now supporting passkey storage and sync on desktop platforms such as Windows, macOS, Linux, and Android, alongside ChromeOS in beta. These passkeys are safeguarded with end-to-end encryption and an additional PIN on Google Password Manager, making them accessible only to the user.

Security is further reinforced by the encrypted storage of passkeys on devices using hardware-protected encryption keys. This encryption prevents even Google from accessing users’ passkeys directly. Recovery options allow users to regain account access or add new devices by verifying identity through existing device lockscreens or passwords. Google’s Advanced Protection Program has integrated passkeys for high-risk users, reinforcing the company’s commitment to a passwordless future.

The drive towards passkeys responds not only to the increasing scale of cyber threats but also to longstanding challenges around password security. Studies show that poor password habits are often reinforced by websites that fail to enforce strong credential policies, pushing users towards convenience over security. By pioneering passkeys in collaboration with the FIDO Alliance, Google is promoting a standard that offers resistance to phishing and simplifies authentication, offering users a safer, streamlined online experience.

📌 Reference Map:

• ^[1] (Dataconomy) – Paragraphs 1, 2, 3, 4, 5
• ^[2] (Google Blog October 2023) – Paragraph 6
• ^[4] (Google Blog September 2024) – Paragraph 7
• ^[6] (Google Security Blog May 2024) – Paragraph 8
• ^[5] (Google Blog April 2024) – Paragraph 8
• ^[7] (Google Blog May 2023) – Paragraph 9

Source: Fuse Wire Services