Online Identities, Passwords, and Passkeys, Oh My (Premium)

I’ve been using a Google Workspace account—[email protected]—as my primary online identity since before we launched Thurrott.com, and for the most part, I don’t have any major complaints. But there has long been one major downside to this account type, and to consumer-focused Gmail accounts, compared to my other major online identity, my 22-year-old Microsoft account (MSA): it requires me to actually type in my password every time I need to sign in for the first time on a new PC or device. And then occasionally thereafter, though those instances are handled by my password manager.

Microsoft does not require this. Indeed, it hasn’t required this since 2017, when it updated its excellent Microsoft Authenticator app to support passwordless sign-ins to Microsoft accounts that are protected by two-step authentication (2FA). (And in 2018, it added a similar capability for those who wish to protect their account further using a physical security key like a YubiKey.)

But Microsoft took the passwordless movement to its logical conclusion in 2021 when it began allowing MSA users to completely remove the password from their accounts. I still haven’t enabled (disabled?) this feature on my primarily Microsoft account, but I have on others, like those I use for my books.

Related to this, Microsoft has also been updating Authenticator to meet related needs. In December 2020, for example, it added password manager and autofill capabilities so that you can use it as the default for app and web accounts and password autofill on Android and iPhone.

Google has moved much more slowly to make similar improvements for its business (Workspace) and consumer (Gmail) customers. But a little over one year ago, it announced that it would join Apple and Microsoft in supporting the passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. And as I noted at the time, user authentication is, as Microsoft would say, a hard computer science problem. It is perhaps ironic, then, that Microsoft got it right first. I’ve been waiting on Google ever since.

So what am I waiting for? Easy: account authentication that is both seamless and secure.

What this means in real-world terms is that signing into my Microsoft account—whether I’m setting up a new PC for the first time, signing in to OneDrive or Outlook.com online, or whatever—is easy: I just type in my email address and I get a prompt on my phone that I can authenticate with my fingerprint (on my Google Pixel) or via facial recognition (via Face ID on my iPhone). Then I’m signed in on the PC or device with no need to ever type a password. Subsequent sign-ins are just as easy and use the same process.

With Google, however, I’ve had to type in my password too. This happens when I set up an Android phone or Chromebook, when I sign in to a Google app or service, and so on. And it happens every single time. As a result, I’ve had to ensure that my Google account password is memorable to me and not overly tedious to type. Meanwhile, I’m not even sure I remember my MSA password now.

But Google has made some big steps towards our passwordless future in recent weeks. Unfortunately, Google’s improvements always come to Gmail (consumer) accounts first, meaning that I often have to wait because I use a Workspace account. Please don’t get me started on how I feel when non-paying Gmail users get new features before paying Workspace customers like me. But it’s negative.

So when Google announced it would bring passkey support to Google accounts in early May, I experienced a bright moment of joy before I discovered that, of course, Google would only be doing so for consumer Gmail accounts. Workspace support would come “soon,” were told. And for once, this kind of promise was true: Workspace support did come soon, with Google announcing it last week, just one month later. Nice.

Or … not so nice. As an administrator at Thurrott.com—privilege has its privileges, I like to joke—I was able to make the required configuration change in the Admin console to enable passkey support for our handful of accounts. And then I used Google’s instructions for end users to go and add passkey support to my account. Only to be told that passkeys were not supported in Workspace. Humph.

Scanning the original blog post on this topic, I found that Google would be rolling this feature out over time, which should be triggering to anyone in the Insider Program. And so I waited. And by “I waited,” I mean I checked the Google Passkeys website every day until it finally let me in. That day was today.

According to the site, I had two devices—my Pixel 7 Pro and the review Pixel 6a that Google told me I could hold onto for two years—listed under “Automatically created passkeys” plus a “Create a passkey” button I could use to add a passkey on the current device (which was a Windows PC).

Because Android devices automatically create passkeys for you when you sign in to your Google account, I didn’t have to worry about my Pixel. But I could enroll my PC so that further authentications on this device would not require a password. Instead, I could simply authenticate using Windows Hello fingerprint recognition, since that’s what I use on this particular PC.

And sure enough, I was prompted to use my finger.

And then the PC was added to the list of created passkeys. (I later changed the name to the name of the PC to make it more obvious.)

And … neat. But what’s the real-world impact here? As I noted previously, Google had required me to enter my email address and password the first time I used it, and then when it asked subsequently, the password manager would handle auto-filling the password. Passkeys make that second instance a bit more seamless. But does it help with the first?

I didn’t want to reset an Android phone or Chromebook to test that. But that wasn’t necessary either: all I really need to do was sign into my Workspace account for the first time on some other device. So I installed Google Chrome on a Mac. And to my surprise, it prompted me to use a passkey. I could confirm myself with a phone or tablet, or a USB security key, so I chose the former and was presented with a QR code. I scanned that with my Pixel, confirmed my identity with a fingerprint, and voila! I signed to my Workspace account in Chrome on the Mac.

Interestingly, this process didn’t add a passkey on the Mac: when I revisited the Google Passkeys website, only my phones and that one PC were listed. But I could of course add one on the Mac, using Chrome, if I wanted. And the listing for my Pixel 7 noted that it had been used as a passkey.

To answer my own question, Google’s implementation of passkeys is a little bit less tedious than typing a password, and Google does meet the letter of passwordless, if not the spirit. But Microsoft’s passwordless approach is still much, much better. So I applaud the step forward, Google. But it still feels like two steps forward, one step back.