Google Passkeys: Revolutionary Passwordless Authentication Technology

What are Google Passkeys?

Google has finally added support for a game-changing new technology called passkeys (or pass keys) on their accounts, which we will all be using very soon to make our lives easier. Passkeys are the result of an effort from all the major tech companies to replace the use of passwords for logging into accounts. They are not just a new two-factor authentication method, but rather a complete replacement for passwords altogether.

Passkeys are easier to use than remembering passwords, and they’re theoretically phishing-proof. In some cases, on certain websites, it means you don’t even necessarily have to remember a username.

How Do Passkeys Work?

Instead of typing in a password to log into your account, you scan a QR code using your phone to confirm the login. At its core, a passkey is a so-called private key. Every website you sign up for, and every account on every website, will get its own private key, and therefore a passkey.

When you go to create a passkey, it effectively creates a private key that is stored on your secure element on your phone. The website also gets a public version of the key that lets the website verify that you have the private key when you try to log in, without actually knowing the private key.

The Login Process with Passkeys

The next time you go to sign into a website, the website will display a QR code, which is basically a test that says, “Here’s a question that only the person with the private half of this key for this account can answer.” When you scan the code with your phone, your phone uses the private key it has stored to answer the question, but again, not actually giving the website the private key itself.

Once the website verifies that you’re the holder of that private key and you’re authorized, it logs you in on that original device. However, before your phone will answer that test question for the website, it requires that you’re connected to that device trying to log in via Bluetooth. This means that your phone with the passkey must be physically near the computer or device that’s trying to log in.

Security of Passkeys

Unlike most two-factor authentication methods, where a scammer could trick someone into giving them the login code or accepting a login prompt on their phone, in the case of passkeys, even if a scammer tricks someone into scanning the login code with their phone, that phone will not be able to connect to the scammer’s computer via Bluetooth, and therefore, the scammer won’t be able to log in either way.

Technically, passkeys are still two-factor authentication. They use your phone’s lock screen login method (pin, Face ID, fingerprint, etc.) as the second factor. To set up and use a passkey, your phone must have some kind of lock screen security.

If someone grabs your unlocked phone and tries to log into an account, they won’t be able to do it because they won’t know your pin or fingerprint. Also, if someone steals your phone, they won’t be able to get into the phone and unlock it, and therefore, won’t be able to access your accounts.

Both Apple and Google have cloud backups of passkeys via the Google Password Manager or Apple iCloud Keychain, which are end-to-end encrypted. So, even if you lose your only phone, you can get a new phone and sync the passkeys from the cloud onto that new one.

Another cool thing is that because each individual account on a website will get its own passkey, you technically don’t even need to remember your username for that account. You’ll simply be able to select the passkey, which will have the account name associated with it, and it’ll log you in.

Setting Up Passkeys on Google Account

To set up a passkey on your Google account, you need to go into the settings and then the security settings screen. Under “add more sign in options,” you can select passkeys. If you already have some physical security keys set up, these will show here too for some reason, but just click “create a passkey.”

Windows Setup

If you have Windows Hello set up on your computer, clicking “continue” by default will use that method. It’ll have you confirm the Windows Hello prompt, and then it’s set up. When you use Windows Hello, it will store the private key for the passkey in your TPM module on your computer, assuming it has one.

iOS Setup

If you’re going to set up using a phone, instead, you would click “Use Another Device.” Chrome will then pop up a QR code for the passkey. On iPhone, open the camera app, point it at the code, and click where it says “Save a Passkey.” It’ll ask you to confirm with Face ID or fingerprint, and once you scan and confirm it on the browser, it will automatically finish.

Android Setup

With Android, once the setup code comes up, you scan it again with the camera, and a prompt will say “Use Passkey.” It might ask you if Chrome can connect to nearby devices, which is using Bluetooth. It’ll then display which account you’re creating the passkey for and which Google accounts password manager it will be stored in.

Logging In with Passkeys

When you want to log in, you’ll need to type in your email address. By default, it’ll ask you to use a passkey if you have any set up. On Windows, it’ll default to Windows Hello local login. On iOS/Android, it’ll pop up a QR code for signing in, which you can scan with your phone’s camera.

Your phone will then connect to the computer via Bluetooth and ask you to confirm using Face ID, fingerprint, or your lock screen method. Once confirmed, you’ll be logged in on the computer automatically.

Adoption and Future of Passkeys

Google has declared that passkeys are being utilized by over 400 million Google accounts, confirming clients more than 1 billion times in recent years. Passkeys are now used for authentication on Google Accounts more frequently than legacy types of two-factor verification, like SMS OTPs and app-based OTPs combined.

Google is also expanding Cross-Account Security, which alerts of suspicious events with third-party apps and services connected to a user’s Google Account, to include more apps and services. Additionally, Google plans to support the use of passkeys for high-risk users as part of its Advanced Protection Program.

Companies like 1Password, Amazon, Apple, Dashlane, Docusign, eBay, Kayak, Microsoft, PayPal, Shopify, Uber, and WhatsApp have also adopted passkeys. Microsoft has integrated passkeys in Windows 11 and plans to support the authentication standard for consumer accounts using biometrics or device PIN on Windows, Google, and Apple platforms.

Passkeys can also be stored on third-party password management solutions like 1Password and Dashlane, giving users more control over where they can be stored beyond Google Password Manager, iCloud Keychain, and Windows.

While concerns have been raised that passkeys are being used by companies to “lock users into a platform,” the overall trend suggests that passkeys are the future of passwordless authentication, offering a more secure and convenient way to log into accounts across various platforms and services.