PayPal launches Passkey support on Android, but not as you might expect
PayPal Inc. announced the rollout of a new security feature today. The new feature adds passkeys support to PayPal for Google Android devices.
Passkeys is a relatively new security standard that is designed to replace passwords for many use cases. Instead of relying on passwords for sign-ins, passkeys rely on cryptographic key pairs that are generated on the user's device. A public key is shared with sites and services, a private key is kept on the user's device and never leaves it. Passkeys authentication is straightforward, as it does not require users to enter passwords anymore for verification. Instead, they may use other means, such as biometric authentication systems or the device's PIN to verify the request.
PayPal introduced support for passkeys on iOS in 2022 already. The rollout for Google Android devices brings support for passkeys to the second major mobile platform, albeit differently than users might expect.
Passkeys support is not added to PayPal's Android application, but only the PayPal website. The new feature has other limitations currently. It is only rolling out to users from the United States, who run Android 9 or newer, and who use the Google Chrome web browser. If all of these requirements are met, PayPal users may create a passkey on PayPal's website and use it to sign-in on that website from that moment on.
PayPal explains how eligible customers may create passkeys on Android:
- Using the Chrome web browser on an Android 9 or newer, device, users need to log in to the PayPal website in the browser using their username and password.
- Users may see the "create a passkey" option automatically after sign-in, which informs them about the availability of the security feature.
- The prompt includes an option to create a passkey for the account, which requires entering the username and password again.
- Future logins use the passkey feature from then on out on "passkey-enabled PayPal platforms".
PayPal does not mention it specifically, but Google Chrome 108 or newer is required, as Google introduced passkeys support in that version of Chrome.
Passwords are not going away, according to PayPal. Customers who prefer to use passwords, and accompanying two-factor authentication options, if enabled, may continue doing so, even after the full rollout of passkeys on PayPal's website for Android devices. The password and username option is necessary on devices that do not support passkeys yet.
PayPal is a founding member of the FIDO Alliance, which has developed the passkeys standard. Other members include Google, Microsoft and Apple.
The security standard eliminates several common forms of attacks on the Internet, including phishing attacks, brute force attacks against accounts, or server-based attacks to download the entire user database with passwords data.
Several password managers have added passkeys support already, more will follow. NordPass, Dashlane, Bitwarden, 1Password and others have announced support already, and the default password managers on iOS and Android supports the functionality already as well.
PayPal did not reveal when passkeys support is coming to the company's dedicated app on Android and other platforms.