Google is promoting a change in the way users access their Gmail accounts: gradually replacing traditional passwords with passkeys and implementing a new QR code-based system.
This change would help reduce the risk of phishing and identity theft attacks, problems that have affected millions of users worldwide, and are recently on the high. For example, the recent Badbox 2.0 botnet attack was in the news where it reportedly took control of over a million Android devices worldwide.
Why Google is betting on passkeys
Passwords have been the standard method for authenticating users online almost ever since the internet arrived. However, the password method presents significant vulnerabilities: they can be stolen, guessed, or reused across multiple accounts. So, if a data breach happens, that would make accounts purely vulnerable to large-scale cyberattacks.
Aware of these risks, Google has decided to make access keys the primary option for accessing Gmail, YouTube, Google Maps, and other company services.
Passkeys operate using advanced ‘cryptographic technology’ and are stored directly on personal devices. Instead of typing a password, users can authenticate using their fingerprint, facial recognition, or their phone’s screen lock. This method reduces almost to zero the possibility of cybercriminals intercepting credentials through deception or hacking.
Christian Brand, head of identity and security at Google, stated that his goal is for “passwords to become rare and eventually obsolete.” Companies such as Apple, Microsoft, eBay, Uber, and WhatsApp have also adopted this technology, demonstrating a growing industry trend toward more secure authentication methods.
How to Create and Use a Passkey in Gmail
To start using passkeys on a Google account, users need to follow a few simple steps:
- ➊ Access your Google account settings from a supported browser (Chrome, Safari, Edge, or Firefox in their most recent versions).
- ➋ Go to the “How you sign in to Google” section within the security section.
- ➌ Select the “Passkeys and security keys” option and follow the instructions to set up an access key.
- ➍ Verify your identity using a security option built into your device, such as a fingerprint, facial recognition, or PIN.
- ➎ Confirm the creation of the passkey and save it to the device.
Once configured, the passkey will allow login without entering a password, as long as the user uses a device compatible with FIDO2 technology, which includes computers with Windows 10 or higher, macOS Ventura, iOS 16, Android 9 and newer versions .
Google has also noted that while users can still opt in to passwords, the system will be set by default to “bypass passwords when possible. ”
Additionally, Google clarifies that biometric data (e.g. fingerprints) is never shared with the company, but remains stored on the user’s device, which reinforces the privacy and security of the system.
QR code authentication — the alternative to SMS
In addition to passkeys, Google is rolling out another security solution: QR code authentication. This decision responds to concerns about the security of traditional text message (SMS) authentication methods, which have proven vulnerable to phishing attacks and SIM swapping, a type of attack that occurs when cybercriminals take control of a victim’s phone number to access their accounts.
Until now, Gmail users who activated two-step verification received a code via SMS to verify their identity. However, this system presented significant risks, as criminals could intercept these codes and access personal accounts.
With the new method, instead of receiving a numeric code, users will see a QR code on their device screen, which they must scan with their phone’s camera. This system eliminates the need to rely on telephone operators and prevents an attacker from obtaining an access code through deception.
The QR authentication process will work as follows:
- • The user attempts to access their account from a new device.
- • Instead of receiving an SMS code, a QR code appears on the screen .
- • The user scans the QR code with their phone’s camera or the Google Authenticator app .
- • Once scanned, the identity is verified and access is granted.
Google has not yet announced an exact date for the full implementation of this system, but it is expected to be available in the coming months.