Still unsure about passkeys, the tech industry’s latest attempt to kill the password? Google has released some rare data, showing that logging in with passkeys is much faster and efficient than typing in a password.
The data was collected in March and April, and compares successful login attempts from passkey adopters to traditional password users. It puts the average authentication success rate for passkey adopters at 63.8% versus 13.8% for traditional password users. This suggests consumers relying on the old-school login method often fail to sign in on the first try, perhaps because they forget or mistype the password.
Passkey users, on the other hand, often sign in on the first try, although Google didn't disclose why the passkey success rate isn't at 100%.
The data comes days after Google added passkeys as an official way to log in to Google accounts. Prior to this, the Chrome browser and Android OS supported passkeys as a sign-in method for third-party websites.
The Google data also shows that users signing in with passkeys often complete the process significantly faster than traditional password users. “On average, a user can successfully sign in within 14.9 seconds, while it typically takes twice as long to sign in with passwords (30.4 seconds),” the company said.
Google doesn’t mention how the company collected the stats, but it likely occurred through anonymized data collection via the Chrome browser and Android OS. The sample size was around 100 million users.
The other major benefit to passkeys is how the technology can stop account hijacking through password-stealing attempts, such as phishing emails or malware. That’s because passkeys ditch passwords entirely. Instead, the security technology creates a unique, private key that’s bound to your device, whether it be a laptop or smartphone. The website you’re logging into can then issue a digital challenge, which the private key onboard your hardware can authenticate.
No password data is ever exchanged. Rather, all your devices can be set up to use passkeys registered for online accounts that support the security technology.
Still, not everyone may be willing to switch to passkeys. Last week, a Google product manager noted that passkeys can get messy. While Apple and Microsoft also support the technology, generated passkeys are bound to each company’s platform. So passkeys generated and stored on a Google account can’t be shared to a Windows PC. Instead, the user has to create a separate passkey on their Windows PC to sign into the desired account.
Another challenge facing the technology is consumer trust. Google’s reputation for data collection and mining users’ activities to serve ads has caused some to reject passkeys over privacy concerns. Complicating matters is that when you use a passkey, your smartphone or laptop will ask you to complete a verification step to prove it’s you, and not someone else signing in. This essentially means going through the device’s screen lock, and can involve a fingerprint or facial scan, or typing in a PIN number or even a password.
The need for biometric data has stirred up worries that Google can collect sensitive data on users if they switch over to passkeys. But in Friday’s blog post, the company reiterated that no fingerprint or facial data is ever sent to Google during the passkey process.
“The user’s biometric, or other screen lock data, is never sent to Google’s servers —it stays securely stored on the device, and only cryptographic proof that the user has correctly provided it is sent to Google,” the company said. “Passkeys are also created and stored on your devices and are not sent to websites or apps.”