Search results for google passkey security | Breaking Cybersecurity News | The Hacker News

Google on Thursday announced that passkeys are being used by over 400 million Google accounts, authenticating users more than 1 billion times  over the past two years . "Passkeys are easy to use and phishing resistant, only relying on a fingerprint, face scan or a pin making them 50% faster than passwords," Heather Adkins, vice president of security engineering at Google,  said . The search giant notes that passkeys are already used for authentication on Google Accounts more often than legacy forms of two-factor authentication, such as SMS one-time passwords (OTPs) and app based OTPs combined. In addition, the company said it's expanding  Cross-Account Protection , which alerts of suspicious events with third-party apps and services connected to a user's Google Account, to include more apps and services. Google is also expected to support the use of passkeys for high-risk users as part of its Advanced Protection Progr...

Google has announced that it's making available a security feature called Device Bound Session Credentials (DBSC) in open beta to ensure that users are safeguarded against session cookie theft attacks. DBSC, first introduced as a prototype in April 2024, is designed to bind authentication sessions to a device so as to prevent threat actors from using stolen cookies to sign-in to victims' accounts and gain unauthorized access from a separate device under their control. "Available in the Chrome browser on Windows, DBSC strengthens security after you are logged in and helps bind a session cookie – small files used by websites to remember user information – to the device a user authenticated from," Andy Wen, senior director of product management at Google Workspace, said . DBSC is not only meant to secure user accounts post-authentication. It makes it a lot more difficult for bad actors to reuse session cookies and improves session integrity. The company also note...

TLDR Even if you take nothing else away from this piece, if your organization is evaluating passkey deployments, it is insecure to deploy synced passkeys. Synced passkeys inherit the risk of the cloud accounts and recovery processes that protect them, which creates material enterprise exposure. Adversary-in-the-middle (AiTM) kits can force authentication fallbacks that circumvent strong authentication all together Malicious or compromised browser extensions can hijack WebAuthn requests, manipulate passkey registration or sign-in, and drive autofill to leak credentials and one-time codes. Device-bound passkeys in hardware security keys offer higher assurance and better administrative control than synced passkeys, and should be mandatory for enterprise access use cases Synced Passkey Risks Synced passkey vulnerabilities Passkeys are credentials stored in an authenticator. Some are device-bound, others are synced across devices through consumer cloud services like iCloud and Go...

Google on Monday announced that it's simplifying the process of enabling two-factor authentication (2FA) for users with personal and Workspace accounts. Also called 2-Step Verification ( 2SV ), it aims to add an extra layer of security to users' accounts to prevent takeover attacks in case the passwords are stolen. The new change entails adding a second step method, such as an authenticator app or a hardware security key, before turning on 2FA, thus eliminating the need for using the less secure SMS-based authentication. "This is particularly helpful for organizations using Google Authenticator (or other equivalent time-based one-time password (TOTP) apps)," the company  said . "Previously, users had to enable 2SV with a phone number before being able to add Authenticator." Users with hardware security keys have two options to add them to their accounts, including by registering a FIDO1 credential on the hardware key or by assigning a passkey...

Behind every click, there's a risk waiting to be tested. A simple ad, email, or link can now hide something dangerous. Hackers are getting smarter, using new tools to sneak past filters and turn trusted systems against us. But security teams are fighting back. They're building faster defenses, better ways to spot attacks, and stronger systems to keep people safe. It's a constant race — every move by attackers sparks a new response from defenders. In this week's ThreatsDay Bulletin, we look at the latest moves in that race — from new malware and data leaks to AI tools, government actions, and major security updates shaping the digital world right now. U.K. moves to tighten cyber rules for key sectors U.K. Debuts Cyber Security and Resilience Bill The U.K. government has proposed a new Cyber Security and Resilience Bill that aims to strengthen national security and secure public services like healthcare, drinking wat...

Hi there! Here's your quick update on the latest in cybersecurity. Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe. Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It's a constant battle. For you, staying protected means keeping your devices and apps up to date. In this newsletter, we'll break down the top stories. Whether you're protecting personal data or managing security for a business, we've got tips to help you stay safe. Let's get started! ⚡ Threat of the Week China Calls Volt Typhoon an Invention of the U.S. : China's National Computer Virus Emergency Response Center (CVERC) has claimed that the threat actor tracked Volt Typhoon is an invention of U.S. intelligence agencies and their allies. It also accused the U.S. of carrying out false flag operations in ...

Almost five months after Google  added support  for passkeys to its Chrome browser, the tech giant has begun rolling out the  passwordless solution  across Google Accounts on all platforms. Passkeys , backed by the FIDO Alliance, are a more secure way to sign in to apps and websites without having to use a traditional password. This, in turn, can be achieved by simply unlocking their computer or mobile device with their biometrics (e.g., fingerprint or facial recognition) or a local PIN. "And, unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one-time codes," Google  noted . Passkeys, once created, are locally stored on the device, and are not shared with any other party. This also obviates the need for setting up two-factor authentication, as it proves that "you have access to your device and are able to unlock it." Users also have the choice of creating passkeys for every device they us...

Google has officially begun rolling out support for  passkeys , the next-generation passwordless login standard, to its stable version of Chrome web browser. "Passkeys are a significantly safer replacement for passwords and other phishable authentication factors," the tech giant's Ali Sarraf  said . "They cannot be reused, don't leak in server breaches, and protect users from phishing attacks." The improved security feature, which is available in version 108, comes nearly two months after Google  began testing the option  across Android, macOS, and Windows 11. Passkeys  obviate the need for passwords by requiring users to authenticate themselves during sign in by unlocking their nearby Android or iOS device using biometrics. This, however, calls for websites to build passkey support on their sites using the  WebAuthn API . Essentially, the technology works by creating a unique cryptographic key pair to associate with an account for the app or website ...

Google on Wednesday announced that it's making available passkeys for high-risk users to enroll in its Advanced Protection Program ( APP ). "Users traditionally needed a physical security key for APP — now they can choose a passkey to secure their account," Shuvo Chatterjee, product lead of APP, said . Passkeys are considered a more secure and phishing-resistant alternative to passwords. Based on the FIDO Authentication standard, the technology is designed to secure online accounts against potential takeover attacks by ditching passwords in favor of biometrics or a PIN. Passkeys can simultaneously act as a first- and second-factor, entirely obviating the need for a password. Earlier this May, the tech giant revealed that passkeys are being used by over 400 million Google accounts. High-risk users , who are at an elevated exposure to cyber-attacks because of who they are and what they do (e.g., journalists, elected officials, political campaign staff, human rights ...

Google on Tuesday announced the ability for all users to set up passkeys by default, five months after it  rolled out support  for the FIDO Alliance-backed passwordless standard for Google Accounts on all platforms. "This means the next time you sign in to your account, you'll start seeing prompts to create and use passkeys, simplifying your future sign-ins," Google's Sriram Karra and Christiaan Brand  said . "It also means you'll see the ' skip password when possible ' option toggled on in your Google Account settings." Passkeys are a new form of authentication that entirely eliminate the need for usernames and passwords, or even provide any additional authentication factor. In other words, it's a passwordless login mechanism that leverages public-key cryptography to authenticate users' access to websites and apps, with the private key saved securely in the device and the public key stored in the server. Each passkey is unique and...

Google has announced that it's discontinuing its dark web report tool in February 2026, less than two years after it was launched as a way for users to monitor if their personal information is found on the dark web. To that end, scans for new dark web breaches will be stopped on January 15, 2026, and the feature will cease to exist effective February 16, 2026. "While the report offered general information, feedback showed that it didn't provide helpful next steps," Google said in a support document. "We're making this change to instead focus on tools that give you more clear, actionable steps to protect your information online." The tech giant said it will delete all data related to dark web report once the feature is retired in February, but noted that users have an option to delete their monitoring profile ahead of time by following the steps below - Go to the Dark Web report Under "Results with your info," click Edit monitoring prof...

Cyberattacks are getting smarter and harder to stop. This week, hackers used sneaky tools, tricked trusted systems, and quickly took advantage of new security problems—some just hours after being found. No system was fully safe. From spying and fake job scams to strong ransomware and tricky phishing, the attacks came from all sides. Even encrypted backups and secure areas were put to the test. Keep reading for the full list of the biggest cyber news from this week—clearly explained and easy to follow. ⚡ Threat of the Week Motex Lanscope Flaw Exploited to Drop Gokcpdoor — A suspected Chinese cyber espionage actor known as Tick has been attributed to a target campaign that has leveraged a recently disclosed critical security flaw in Motex Lanscope Endpoint Manager (CVE-2025-61932, CVSS score: 9.3) to infiltrate target networks and deploy a backdoor called Gokcpdoor. Sophos, which disclosed details of the activity, said it was "limited to sectors aligned with their intelligence...

Hey there, it's your weekly dose of " what the heck is going on in cybersecurity land " – and trust me, you NEED to be in the loop this time. We've got everything from zero-day exploits and AI gone rogue to the FBI playing crypto kingpin – it's full of stuff they don't 🤫 want you to know. So let's jump in before we get FOMO. ⚡ Threat of the Week GoldenJackal Hacks Air-Gapped Systems: Meet GoldenJackal, the hacking crew you've probably never heard of – but should definitely know about now. They're busting into super-secure, air-gapped computer systems with sneaky worms spread through infected USB drives (yes, really!), proving that even the most isolated networks aren't safe. ESET researchers caught them red-handed using two different custom-made tools to target high-profile victims, including a South Asian embassy in Belarus and a European Union government organization. 🔔 Top News Mozilla Patches Firefox 0-Day: Mozilla patched a...

The FIDO Alliance said it's working to make passkeys and other credentials more easier to export across different providers and improve credential provider interoperability, as more than 12 billion online accounts become accessible with the passwordless sign-in method. To that end, the alliance said it has published a draft for a new set of specifications for secure credential exchange, following commitments among members of its Credential Provider Special Interest Group (SIG). This includes 1Password, Apple, Bitwarden, Dashlane, Enpass, Google, Microsoft, NordPass, Okta, Samsung, and SK Telecom. "Secure credential exchange is a focus for the FIDO Alliance because it can help further accelerate passkey adoption and enhance user experience," the FIDO Alliance said in a statement. "Sign-ins with passkeys reduce phishing and eliminate credential reuse while making sign-ins up to 75% faster, and 20% more successful than passwords or passwords plus a second facto...

A Spanish-speaking cybercrime group named GXC Team has been observed bundling phishing kits with malicious Android applications, taking malware-as-a-service (MaaS) offerings to the next level. Singaporean cybersecurity company Group-IB, which has been tracking the e-crime actor since January 2023, described the crimeware solution as a "sophisticated AI-powered phishing-as-a-service platform" capable of targeting users of more than 36 Spanish banks, governmental bodies, and 30 institutions worldwide. The phishing kit is priced anywhere between $150 and $900 a month, whereas the bundle including the phishing kit and Android malware is available on a subscription basis for about $500 per month. Targets of the campaign include users of Spanish financial institutions, as well as tax and governmental services, e-commerce, banks, and cryptocurrency exchanges in the United States, the United Kingdom, Slovakia, and Brazil. As many as 288 phishing domains linked to the activity ha...

Microsoft is officially rolling out support for passkeys in Windows 11 today as part of a  major update  to the desktop operating system. The feature allows users to login to websites and applications without having to provide a username and password, instead relying on their device PIN or biometric information to complete the step. Based on  FIDO standards , Passkeys were  first announced  in May 2022 as a replacement for passwords in a manner that's both strong and phishing-resistant. It has since been adopted by  Apple ,  Google , and a number of other services in recent months. While the tech giant added passkey management in the Windows Insider program back in June 2023, the development marks the feature's general availability. "Passkeys are the cross-platform future of secure sign-in management," David Weston, vice president of enterprise and OS Security,  said . "A passkey creates a unique, unguessable cryptographic credential that is...