Google Chrome 108 adds support for Passkeys on Windows, macOS and Android
Google Chrome 108 was released to the stable channel last week. It added support for a new way to sign in to online accounts, passwordless logins, aka Passkeys.
Google Chrome adds support for Passkeys
The name might seem familiar to you if you read my article about macOS 13 Ventura. Apple Safari in iOS 16, iPadOS 16 and macOS 13 was the first browser to add support for Passkeys.
What are Passkeys? Passkeys are a secure login method, that was developed by the FIDO Alliance and World Wide Web Consortium (W3C), which includes the giants of Silicon Valley like Apple, Google and Microsoft.
What's the need for it? Regular passwords can be phished, leaked, stolen or brute forced if the passphrase is weak. Passkeys sidestep these issues completely, there is nothing to be guessed, leaked or stolen. The Passkeys are stored on the user's device in an encrypted form that can only be accessed with biometric data such as FaceID, fingerprint ID, Windows Hello, PIN, etc. The Passkey on the user's device is referred to as a private key. This is used in tandem with a public key (username) stored on a website's login system.
If a user has saved their account credentials as a Passkey, and they try to log in to the website that the account belongs to, the server's public key asks the user to provide the Passkey associated with their account. This is done by approving the login, by using the computer or mobile phone's fingerprint scanner, camera (FaceID), or the PIN code used to unlock the screen. The device scans the encrypted Passkey data that is stored locally, and tells the server to approve the login request. In other words, your Passkey never leaves your device. You may sync Passkeys across devices, this depends on the app and OS that you use.
Intrigued by the new security feature? You can start using Passkeys in Chrome on websites that support it. That's the issue, very few sites have adopted the new protocol. This Passkey directory page (owned by 1Password) has a list of services that support the new protocol, these include PayPal, BestBuy, eBay, Microsoft, NVIDIA, etc.
How to use Passkeys in Google Chrome
1. Open Google Chrome on your Android phone. You need to have password saving and syncing enabled in the app.
2. Go to a website that supports Passkeys. e.g. You can try it on this demo site https://webauthn.io/
3. Create a new ID.
Note: If you are testing this with another site, you should sign in to your account and change the login type.
4. Chrome will offer to save the site as a Passkey. (refer to the first image in this article)
5. Select yes, and it will prompt you whether you'd like to use your mobile device's screen lock as the Passkey.
6. Accept it, and confirm your fingerprint ID or PIN.
7. Now, open Chrome on your Windows or Mac computer, and go to the same site.
8. Try to log in to your account, and authenticate your profile. The site will display a panel that asks you to use your Passkey.
9. Select the device's name that has the Passkey stored in it, and you should see a notification from the Chrome mobile app.
It will request to turn on Bluetooth on your phone to connect to your computer. Once that is done, it will display a prompt to unlock the screen.
10. Approve the login request with your screen lock code or fingerprint or Face ID.
This is how Passkey's passwordless system works. You may also use your mobile phone to scan a QR code to sign in using the Passkey, though the process is a little different.
If you select use another device, the site displays the QR code.
Scan it with any camera app that supports QR, and you should see a URL that begins with FIDO:/ followed by a long numerical string. Tap the open button, and Chrome will start the authentication process using (step 9 above) Bluetooth. Though it sounds complicated, the whole process only takes a few seconds to complete.
In addition to this, Passkeys also supports hardware security keys such as Yubikey USB devices, so you should be able to use it with any FIDO supported device. I have not tested this method.
Some services that support Passkeys don't allow it to be used directly, and instead rely on two-factor authentication. Microsoft is probably the best example for this. You can switch your regular account to a "passwordless account", and it will use your Windows Hello PIN or Fingerprint ID to access the account. This doesn't log you in though, it sends a notification to the Microsoft Authenticator app on your mobile phone, which you have to approve manually. This is sort of like the 2-step verification that you get on your phone when you try to log in to your Google account, and it asks you to approve the request.
Passkeys in Google Chrome
macOS syncs your Passkeys between your devices using iCloud Keychain. Chrome on iOS and iPadOS follows the same pattern, but this doesn't support macOS, instead it saves it in a local profile. Chrome uses Windows Hello to store the Passkeys, and doesn't support syncing with other devices. Users will have to rely on their mobile phone that has the Passkey to scan a QR Code and approve the login request. Once they do this, the Windows computer stores the data in Windows Hello, and this is used for subsequent logins. Coming to Google's own OS, Chrome on Android stores Passkeys in the Google Password Manager, and are synced between devices that have the app.
Chrome supports Passkeys on Android, iOS, iPadOS, macOS and Windows. The chart says that Linux is not supported. I think it only means that Passkeys cannot be created/stored on Linux computers, so it should still allow you to sign in using your mobile phone by scanning a QR Code.
You can manage your Passkeys from Chrome's autofill section on Windows, macOS and Android. Google's announcement mentions that future versions of Chrome on Android will allow third-party password managers that support Passkeys to be used for autofill. Please refer to the FAQ on FIDO's website to learn more about Passkeys.
Passkeys may be a little inconvenient to use compared to autofill, but that's a small price to pay for better security.
Have you tried Passkeys?Advertisement