Google Issues Warning to 2 Billion Users: The Era of Passwords is Over. Protect the World with "Passkeys"

Google Issues Warning to 2 Billion Users: The Era of Passwords is Over. Protect the World with "Passkeys"

2025年06月22日 14:37

Table of Contents

  1. What is a Passkey—The Decisive Difference from Passwords

  2. The Reality Exposed by 16 Billion Data Breaches

  3. Google's "Passkey by Default" Strategy

  4. Technical Explanation: How FIDO2/WebAuthn Works

  5. Global Adoption Status—Movements of Apple, Microsoft, and Major Sites

  6. User Perspective: Setup Procedures and Troubleshooting

  7. For Businesses and Developers: Best Practices for Implementation and Operation

  8. Privacy and Biometric Information Security

  9. Global Challenges and Deployment in Developing Countries

  10. Conclusion: The Future Beyond Passwords


1. What is a Passkey—The Decisive Difference from Passwords

A passkey is an asymmetric authentication credential using public key cryptography, where the user retains a private key and the server holds a public key. Because the private key does not leak outside the device, it is resistant to phishing and replay attacks.

Furthermore, it allows signing using OS-native unlocking methods such as fingerprint, facial recognition, or PIN, eliminating memory burden and speeding up the user experience. According to Google, login speed improves by about 40% compared to passwords.blog.google



2. The Reality Exposed by 16 Billion Data Breaches

In June 2025, a Cybernews investigation revealed that 30 massive datasets were exposed, totaling 16 billion IDs and passwords circulating on the dark web. These credentials, reused across multiple services like Google, Apple, and Meta, led experts to warn that "an average of two authentication credentials per person have been leaked."cbsnews.comm.economictimes.com



3. Google's "Passkey by Default" Strategy

Starting in October 2023, Google made passkeys the default for personal accounts, expanding the target from 200 million to 2 billion by June 2025. "Skip password when possible" will be enabled by default, available across services like Gmail, YouTube, and Maps.

Google positioned passkeys as the primary authentication method, with passwords becoming legacy.blog.googlefidoalliance.org



4. Technical Explanation: How FIDO2/WebAuthn Works

  • FIDO2: Exchanges public key cryptography between the client (CTAP2 compatible device) and the platform (browser).

  • WebAuthn API: A browser standard called via JavaScript. Sends the public key to the server during registration and returns a challenge signature during authentication.

  • Multi-factor vs Multi-step: Passkeys streamline MFA into one step by combining "possession + biometrics."



5. Global Adoption Status: Moves by Apple, Microsoft, and Major Sites

Apple integrates with iCloud Keychain from iOS 17 onwards, Microsoft offers Windows Hello as a FIDO2 authenticator. eBay, Uber, and WhatsApp aim to complete passkey support by 2025. Pilot projects are also underway in government portals and financial institutions across various countries.



6. User Perspective: Setup Procedures and Troubleshooting

  1. Generate via Google Account → Security → Passkeys.

  2. Automatic sync available from Android 14 and iOS 17 onwards.

  3. Older devices can use FIDO security keys (USB/NFC) as a backup.

  4. For device changes, securely transfer using iCloud or Google Password Manager.

  5. In case of errors, check WebAuthn settings in the browser and biometric registration in the OS.



7. For Companies and Developers: Best Practices for Implementation and Operation

  • With WebAuthn Level 3 draft in mind, make resident key mandatory.

  • Use provisioning API to enable recovery even if the user loses their device.

  • Design phased transitions like "passkey only" or "passkey + OTP."

  • Incorporate "webauthn-signature-counter" in log audits to detect reused keys.



8. Privacy and Security of Biometric Information

Passkeys do not send biometric data itself to the server. The OS performs local matching and only returns a success/failure flag, ensuring that fingerprints or facial images do not remain in the cloud.The design is compliant with personal data protection regulations (GDPR, CCPA, Revised Personal Information Protection Law).



9. Global Challenges and Deployment in Developing Countries

Inexpensive Android Go devices and public PCs often lack biometric sensors. In such cases, a combination of PIN and security key or fallback to SMS OTP is necessary. It is reported that the FIDO Alliance plans to release the "Passkey Lite" specification by 2025 for lightweight implementation on low-performance devices.“Passkey Lite” specification by 2025 for lightweight implementation on low-performance devices.



10. Conclusion: The Future Beyond Passwords

  • Short-term: Major web services will make passkeys mandatory, with passwords as a backup method.

  • Mid-term: Devices equipped with hardware security modules (TPM) become standardized.

  • Long-term: Development towards a "self-sovereign" authentication infrastructure in combination with Decentralized ID (DID).


    Google's warning signals the end of a 30-year tradition centered on passwords. It is time for all internet users worldwide to take action.


List of Reference Articles

  • CBS News "16 billion login credentials from Google and other sites leaked online" (2025-06-20) cbsnews.com

  • The Economic Times "How to secure your Google account after the 16 billion passwords leaked" (2025-06-20) m.economictimes.com

  • Google Official Blog "Passwordless by default: Make the switch to passkeys" (2023-10-10) blog.google

  • MSN/FIDO Alliance "Google Pushes 2 Billion Gmail Users to Adopt Passkeys Over Passwords" (2025-06-17) fidoalliance.org

← Back to Article List