Morning Overview

Google is pushing its two billion Gmail users to ditch passwords for passkeys

Google is pressing its massive Gmail user base to replace traditional passwords with passkeys, a move grounded in federal authentication standards that classify the technology as resistant to phishing attacks. The push aligns with draft guidance from the National Institute of Standards and Technology, which identifies the WebAuthn/FIDO2 protocol behind passkeys as a method that blocks the kind of broad credential theft that has plagued email accounts for years. The scale of this transition raises a direct question: whether shifting billions of accounts to passkeys will produce a visible decline in account takeovers that shows up in public breach data.

Why the Gmail passkey push carries real security weight

Password-based attacks remain the primary vector for breaking into consumer email accounts. Credential stuffing, phishing kits, and database leaks all exploit the same weakness: a reusable string of characters that can be stolen, guessed, or intercepted. Passkeys work differently. They rely on cryptographic key pairs tied to a specific device and a specific website domain, which means a fake login page cannot harvest a credential that works on the real site.

NIST’s SP 800-63B Rev. 4 draft lays out the technical basis for this distinction. The document describes phishing-resistant authenticators as those that use verifier name binding, a mechanism that cryptographically ties the authentication exchange to the legitimate domain. WebAuthn/FIDO2 is presented as an example of this standard, meaning passkeys built on this protocol meet the federal bar for phishing resistance when deployed correctly.

The hypothesis that Google’s rollout will produce a measurable drop in account-takeover reports within 18 months is testable but faces real constraints. Public breach-notification datasets, such as those compiled by state attorneys general and the Identity Theft Resource Center, track reported incidents by category. If passkey adoption reaches a meaningful share of Gmail accounts, phishing-driven takeovers should decline relative to other attack types. The challenge is isolating that signal from other security improvements Google deploys simultaneously, and from the reality that attackers shift tactics when one avenue closes.

A drop in phishing success rates against Gmail would not necessarily appear quickly in aggregate breach statistics. Many breach notifications lag the actual incident by months, and reporting standards vary by state. Tracking the effect would require comparing phishing-specific incident rates before and after passkey adoption crosses a threshold, a figure Google has not publicly disclosed for Gmail. Even then, correlation would be easier to demonstrate than causation, especially if organizations harden other parts of their identity stacks at the same time.

Federal standards and the technical case for syncable authenticators

The federal framework supporting passkeys has developed through two related NIST publications. The SP 800-63B Rev. 4 draft section on authenticators establishes the criteria for phishing-resistant methods, centering on verifier name binding as the defining feature. Separately, a NIST blog post on syncable authenticators explains how passkeys stored in cloud keychains fit into this guidance. NIST uses the term “syncable authenticators” as the formal name for what consumers and the industry commonly call passkeys.

The distinction between device-bound and syncable passkeys matters for everyday users. A device-bound passkey lives on a single hardware token or phone and cannot be copied. A syncable passkey, by contrast, is stored in a cloud keychain run by Apple, Google, or Microsoft and follows the user across devices. NIST’s guidance states that syncable authenticators can be phishing-resistant when implemented correctly, but the “when implemented correctly” qualifier is doing significant work. The security of the cloud keychain itself, the protections around account recovery, and the integrity of the sync mechanism all affect whether the phishing-resistance promise holds in practice.

Google’s decision to push passkeys for Gmail accounts effectively bets that its cloud keychain implementation meets NIST’s conditions. For users, the practical experience is straightforward: a fingerprint scan, face unlock, or device PIN replaces the act of typing a password. The authentication exchange happens between the device and Google’s servers using public-key cryptography, and no shared secret crosses the network in a form an attacker can reuse.

This approach addresses the most common consumer threat model. Most Gmail users are not targeted by state-sponsored hackers wielding zero-day exploits. They are targeted by mass phishing campaigns that send fake login pages to millions of addresses and harvest whatever credentials come back. Passkeys make those campaigns structurally ineffective because the cryptographic handshake fails on any domain that is not the legitimate one. Attackers can still try malware, SIM swapping, or social engineering of account recovery flows, but the cheap, scalable credential-harvesting attacks that dominate today become far less profitable.

The standards context also matters for enterprises and government agencies that rely on Gmail or Google Workspace. NIST’s broader Computer Security Resource Center materials are written for organizations that must document how their identity systems align with federal guidance. When a major consumer provider like Google adopts a technology that NIST has already framed as phishing-resistant, it lowers the friction for regulated entities to follow suit, because they can point to the same technical underpinnings and terminology.

Gaps in the evidence and what to watch next

Several pieces of the picture are missing. Google has not released internal data on how many Gmail users have already enrolled a passkey, what percentage of logins now use passkeys instead of passwords, or whether early adoption has changed the company’s internal metrics on phishing-driven account compromises. Without those numbers, the strength of the security case rests on the theoretical properties of the protocol rather than observed outcomes at scale.

NIST’s own publications, hosted through its Computer Security Resource Center, provide the standards framework but not empirical consumer-level data. The SP 800-63B Rev. 4 document remains in draft form, which means the final version could adjust the conditions under which an authenticator is considered phishing-resistant or clarify how syncable implementations should handle recovery and device loss. Those changes could, in turn, influence how Google and other providers refine their passkey deployments.

Independent researchers face additional hurdles in measuring the real-world impact of Gmail’s shift. Public breach reports rarely specify whether a compromised account used a password, a passkey, or some other factor at the time of the incident. Even when phishing is listed as the root cause, the underlying data may conflate traditional credential theft with more targeted attacks that bypass user authentication entirely, such as exploiting OAuth token grants or vulnerabilities in third-party apps connected to email accounts.

One promising avenue for evidence will be longitudinal studies that track phishing kit success rates over time. If large providers like Google, Apple, and Microsoft collectively move their user bases to passkeys, criminal operators who sell phishing-as-a-service should see declining yields when targeting those ecosystems. That shift might show up first in underground forum chatter or in the evolution of phishing kits that pivot away from credential capture toward session hijacking or malware delivery.

Another indicator will be changes in consumer guidance from regulators and advocacy groups. If passkeys deliver on their promise at scale, organizations that currently tell users to rotate passwords and beware of suspicious links may start emphasizing device security and recovery hygiene instead. That would reflect a world where the primary risk is no longer typing a password into the wrong box, but losing control of the device or cloud account that stores the private key.

For now, the Gmail passkey push sits at the intersection of strong cryptographic design, evolving federal standards, and incomplete public data. The technical case for passkeys as a defense against phishing is well articulated in NIST’s drafts and supporting blogs. The policy case for aligning consumer platforms with phishing-resistant authenticators is equally clear. The open question is empirical: whether, and how quickly, those properties translate into fewer real-world account takeovers visible outside Google’s internal dashboards.

Answering that question will require patience and careful analysis rather than headline-driven conclusions. Breach-notification databases, security research, and future NIST revisions will gradually reveal whether Gmail’s move away from passwords marks a turning point in consumer account security or simply raises the bar enough to force attackers to innovate again. Until then, the best available evidence is still the standards themselves, which argue that if passkeys are implemented and managed correctly, the era of stolen passwords as the default entry point to email accounts may finally be drawing to a close.

More from Morning Overview

*This article was researched with the help of AI, with human editors creating the final content.