Google Chrome's latest update introduces a powerful defense against phishing attacks and credential theft. The browser now blocks websites from stealing passkeys, a type of security credential that replaces traditional two-factor authentication codes.
Passkeys work differently than SMS or app-based codes. Rather than requiring you to enter a six-digit number, passkeys use cryptography tied to your device. Chrome's new feature prevents malicious websites from tricking users into handing over passkeys to attackers, even if a site looks identical to the real thing.
Here's what changed. When you visit a suspicious website that attempts to impersonate a legitimate service, Chrome detects the fake domain and blocks the passkey from being shared. Attackers commonly use typosquatting (buying domains like "amaz0n.com" instead of "amazon.com") or compromised subdomains to capture login credentials. Passkeys eliminate this vulnerability because they're cryptographically bound to the correct website's domain.
This matters for your everyday banking and email accounts. If you've enabled passkeys on Gmail, Facebook, or other major services, Chrome now provides an extra layer of protection without requiring any action from you. The feature activates automatically for all users.
Traditional two-factor authentication has a known weakness. If attackers redirect you to a fake login page, you might unknowingly hand over your credentials and your authentication code together, defeating the entire purpose of two-factor security. Passkeys sidestep this problem entirely because they cannot work on fraudulent domains, period.
Chrome's rollout marks a shift toward passkey adoption across the web. Apple's iCloud Keychain and Microsoft's Authenticator app already support passkeys. Google's move signals that major tech companies are moving authentication away from codes and passwords toward this more robust system.
For users, the practical step is simple. When major services offer passkey setup