Google defaults to Passkeys now [1], and has very aggressive heuristics around logging in [2]. They also maintain their own version of HIBP internally [3], and will force a password change [4] under certain circumstances.
They are doing this because when they have high assurance of your identity (and your account hasn't been taken over), that is the best time to issue the cryptographic credential (the Passkey) which improves go forward security of the account. Over time, accounts should filter over to Passkeys, and at some point, they will likely deprecate passwords (or require high confidence you are you to login with just username and password, vs a Passkey). I've had a discussion with someone on the project at Google, and they could only say "stay tuned" about what comes next. To be clear, I'm not divulging anything beyond what Google made public in their blog post and a bit of speculation on my part.
> Do you think google is deactivating people based on HIBP? If not why do you think everyone else should?
TLDR "password resets and account lockouts vs deactivating users" and "because it is good practice to protect your users and their data from compromise"
[4] https://support.google.com/accounts/answer/98564?hl=en ("If there’s suspicious activity in your Google Account or we detect that your password has been stolen, we may ask you to change your password. By changing your password, you help make sure that only you can use your account.")
I just created a new gmail account to test this - it asked me to create a password (minimum 8 characters, I used lowercase letters and numbers only) and didn't say anything about MFA or passkeys. I'm not going to fact check every other claim since the first one failed so utterly.
> This means the next time you sign in to your account, you’ll start seeing prompts to create and use passkeys, simplifying your future sign-ins. It also means you’ll see the “Skip password when possible” option toggled on in your Google Account settings.
Did you even look at their provided links? You took the time to create a new account, why not actually look at the provided links to see what is being claimed in the first place?
I read the link - I don't think "we will hassle people about this eventually but not even give them the option at signup" is the traditional definition of "default" though. Do you?
Prompting on first sign in is pretty “default” to me.
I highly doubt you read the link, otherwise you wouldn’t have gone through the whole sign up process just to prove something isn’t a “default” according to you. You’d have just referenced the article and made the exact same point.
They are doing this because when they have high assurance of your identity (and your account hasn't been taken over), that is the best time to issue the cryptographic credential (the Passkey) which improves go forward security of the account. Over time, accounts should filter over to Passkeys, and at some point, they will likely deprecate passwords (or require high confidence you are you to login with just username and password, vs a Passkey). I've had a discussion with someone on the project at Google, and they could only say "stay tuned" about what comes next. To be clear, I'm not divulging anything beyond what Google made public in their blog post and a bit of speculation on my part.
> Do you think google is deactivating people based on HIBP? If not why do you think everyone else should?
TLDR "password resets and account lockouts vs deactivating users" and "because it is good practice to protect your users and their data from compromise"
[1] https://blog.google/technology/safety-security/passkeys-defa...
[2] https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
[3] https://security.googleblog.com/2019/12/better-password-prot...
[4] https://support.google.com/accounts/answer/98564?hl=en ("If there’s suspicious activity in your Google Account or we detect that your password has been stolen, we may ask you to change your password. By changing your password, you help make sure that only you can use your account.")