Google warns “passwords are not only painful to maintain, but are also more prone to phishing and often leaked through data breaches.” And that’s the real issue. “It’s important to use tools that automatically secure your account and protect you from scams,” Google tells users, and that means upgrading account security now.
Google says “we want to move beyond passwords altogether, while keeping sign-ins as easy as possible.” That includes social sign ins, but mainly it means passkeys. “Passkeys are phishing-resistant and can log you in simply with the method you use to unlock your device (like your fingerprint or face ID) — no password required.”
This is just one of their excuses, to keep their users inside google’s walled-garden
Passkeys are actually superior to passwords from a security standpoint though.
I believe the passkey system doesn’t mandate you use Google to hold the key FWIW, I think apple has a compatible system you can keep the key in for iPhones and I believe you can use something like a yubikey for them too
API docs: https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
But passkeys are NOT MFA. They essentially replace “what you know” with “what you have”. Adding a second passkey like a yubikey only furthers the single factor. Also courts have ruled that you can be compelled to provide biometric data to unlock your accounts.
I suspect Google is moving to replace passwords not out of the kindness of their hearts but to allow the government to get into your account.
My preferred MFA combination is yubikey (or similar physical key) + Password/PIN.
You don’t have to use biometrics to authenticate your passkeys.