Enlarge / Google says the login flow will go something like this, from left to right: type in your username, pick a passkey, scan a finger. Hopefully your device has biometrics. (credit: Google)

Google is taking a big step toward our supposedly passwordless future by enabling passkey-only Google accounts. In the blog post, titled " The beginning of the end of the password ," Google says: "We’ve begun rolling out support for passkeys across Google Accounts on all major platforms. They’ll be an additional option that people can use to sign in, alongside passwords, 2-Step Verification (2SV), etc." Previously, you've been able to use a passkey with a Google account as part of two-factor authentication, but that was always in addition to a password. Now it's possible to use a Google account with a passkey instead of a password.

A passkey, if you haven't heard of the new authentication method, is a new way to log in to apps and websites and may someday replace a password. Password entry began as a simple text box for humans, and those text boxes slowly had automation and complication bolted onto them as the desire for higher security arrived. While you used to type a remembered word into a password field, today, the right way to use a password is to have a password manager paste a random string of characters into the password box. Since few of us physically type in our passwords, passkeys remove the password box.

Passkeys have your operating system directly swap public-private keypairs—the " WebAuthn " standard—with a website, and that's how you get authenticated. Google's demo of how this will work on a phone looks great—the usual box asks for your Google username, then instead of a password, it asks for a fingerprint, which unlocks the passkey system, and you're logged in.

Enlarge / Please don't do this. (credit: Getty Images)

Big Tech wants to kill the password, with "Passkeys" being the hot, new password replacement standard on the block. Passkeys are backed by Google, Apple, Microsoft, and the FIDO Alliance, so expect to see them everywhere soon. iOS picked up the standard in version 16, and now Google is launching passkey betas on Chrome and Android.

The passkey argument is that passwords are old and insecure. Computer passwords were originally conceived as an easy-to-remember secret for humans to type into a text box. As the need for greater security arose, password managers arrived, making it easy to save and recall your passwords. Now, instead of some human-memorable phrase, the ideal way to use a password is to have a computer generate some wild string of characters and never reuse that password anywhere else. The password manager revolution is all a hack, though, built on top of that original text box. We don't really need the text box anymore, and that's where the Passkey standard comes in.

The Passkey standard just trades cryptographic keys with the website directly. There's no need for a human to tell a password manager to generate, store, and recall a secret—that will all happen automatically, with way better secrets than what the old text box supported, and with uniqueness enforced. The downside is that, while every browser in the world supports showing that old text box, passkey support will need to be added to every web browser, every password manager, and every website. It's going to be a long journey.