Yesterday, on World Password Day of all days, Google announced that passkeys are now available as a sign-in option for all Google Accounts. This isn’t a beta or a limited rollout — it’s 1.5 billion accounts gaining access to passwordless authentication built on the FIDO2/WebAuthn standard. After years of the security community talking about killing passwords, this feels like the moment it actually starts happening.
What Passkeys Are (and Aren’t)#
For those who haven’t been following the FIDO Alliance’s work, passkeys are cryptographic credentials that replace passwords entirely. When you create a passkey for a site, your device generates a public-private key pair. The public key goes to the server; the private key stays on your device, protected by your screen lock (fingerprint, face recognition, or PIN).
Authentication works via a challenge-response protocol: the server sends a challenge, your device signs it with the private key after biometric verification, and the server validates the signature against the stored public key. The private key never leaves your device. There’s nothing to phish, nothing to leak in a database breach, nothing to reuse across sites.
Passkeys build on the WebAuthn standard that’s been in browsers since 2019, but with a critical addition: syncing. Unlike hardware security keys (YubiKeys and the like), passkeys sync across your devices via your platform’s cloud — iCloud Keychain for Apple devices, Google Password Manager for Android and Chrome, and eventually Windows Hello for Microsoft’s ecosystem. This solves the biggest usability problem with previous FIDO implementations: losing your authenticator no longer means losing access.
Why This Matters More Than Previous Attempts#
We’ve been trying to kill passwords for as long as I’ve been in this industry. Smart cards in the 90s, client certificates, various biometric schemes, FIDO U2F keys — all technically superior to passwords, all failed to achieve mainstream adoption. So why should passkeys be different?
Device support is already here. Passkeys work today on iOS 16+, Android 9+, macOS Ventura, and Windows 10/11 with the latest browser versions. That covers the vast majority of consumer devices without requiring any additional hardware.
The UX is genuinely better. I’ve been using passkeys on a few services for the past few months, and the experience is markedly faster than passwords. No typing, no password manager lookup, no 2FA code. Touch your fingerprint sensor and you’re in. For the first time, the secure option is also the most convenient option — and that’s the only way security wins at scale.
The big platforms are aligned. Apple, Google, and Microsoft are all committed to passkeys through the FIDO Alliance. When these three companies agree on an authentication standard and ship it in their platforms, adoption follows. This isn’t a niche security vendor trying to push a proprietary solution — it’s the infrastructure layer making passwords obsolete.
Implementation Considerations for Developers#
If you’re building applications that handle user authentication, it’s time to start planning passkey support. Here’s what I’ve learned from early implementation work:
The WebAuthn API is well-designed but has nuances. The browser API for creating and using passkeys is navigator.credentials.create() and navigator.credentials.get(). The specification is solid, but you’ll want a server-side library to handle attestation and assertion validation. Libraries like SimpleWebAuthn (JavaScript) or py_webauthn (Python) abstract the complexity.
You’ll need a migration strategy. You can’t flip a switch and require passkeys — you need a period where both passwords and passkeys work. Design your auth flow to prompt users to create a passkey after successful password login, and gradually nudge them toward passkey-only over time.
Account recovery is the hard problem. What happens when a user loses all their devices? With passwords, you send a reset email. With passkeys, the platform sync should handle device loss in most cases, but you still need a recovery path. Google’s approach includes recovery through phone number, another signed-in device, or a hardware security key. Design your recovery flow before shipping passkeys.
Think about enterprise scenarios. Managed devices, shared workstations, and compliance requirements add complexity. FIDO2 supports attestation that lets you verify the type of authenticator being used — important if your security policy requires specific hardware.
The Road Ahead#
Google’s rollout is a massive catalyst, but we’re still early. The adoption curve will look something like this:
- Now: Major platforms offer passkey sign-in alongside passwords
- Next 12-18 months: More services adopt passkeys; password managers integrate passkey support
- 2-3 years: Password-optional accounts become common on major services
- 5+ years: Password-only sign-in starts disappearing from mainstream services
The wildcard is the cross-platform story. Right now, syncing works within ecosystems (Apple-to-Apple, Google-to-Google), but cross-platform passkey management is still evolving. If I create a passkey on my iPhone, using it on a Windows PC requires scanning a QR code for a cross-device authentication flow. It works, but it’s not as seamless as staying within one ecosystem. I expect this to improve significantly as the standards mature.
My Take#
I’ve been advocating for WebAuthn adoption since the spec was finalized, and Google’s move is the best news I’ve seen for authentication security in years. Passwords are a fundamentally broken paradigm — they’re the single biggest attack vector for account compromise, and no amount of complexity requirements or rotation policies fixes the underlying problem.
Passkeys aren’t perfect. The reliance on platform vendors for key syncing introduces its own trust considerations. The cross-platform experience needs work. Enterprise deployment scenarios are still being figured out. But these are tractable engineering problems, not fundamental design flaws.
If you’re a developer, add WebAuthn support to your roadmap. If you’re a user, go to g.co/passkeys and set up a passkey for your Google Account today. The best way to build momentum for passwordless authentication is to use it.
We’ve been talking about killing passwords for 30 years. This time, I think we actually have the right technology, the right ecosystem support, and the right user experience to make it happen.
This post is part of my Security in Practice series, tracking real-world security developments that matter for working engineers.