Google now lets you create Passkeys for your accounts, here's how to set it up
Google has announced support for Passkeys for user accounts. You can now log in to your Gmail account, or any other Google service, without typing your password.
What is a passkey, and is it safe?
A passkey allows you to sign in to your online accounts without using your password. Instead, it uses your device's screen lock, i.e. PIN or device password, or your biometric data such as a fingerprint scanner used by Windows Hello or macOS TouchID, to authenticate the ownership of the account. The same applies to your Android mobile or iPhone's screen lock methods.
The passkey is created and stored locally on your device, i.e. a mobile phone or a computer. The data is encrypted to prevent unauthorized access. When you try to log in to your account, the server asks the device to verify the credentials associated with that account. The device in turn prompts you to enter your screen lock code to approve the request, and once you enter the code or use your biometric sensor, the device checks it with the data stored locally, and gives the green signal to the server to grant access to the account.
Passkeys provide a quick and easy way to log in to your account, you just have to enter your username, you don't have to key in your password. The fact that it completely negates passwords is what makes it special. Passkeys will bypass authenticator apps or other 2FA methods that you may have enabled on your account. Does that mean that your Google account is no longer protected by 2-step verification? No, your account is still protected by 2FA, you may continue using your username and password along with your authenticator app to log in to your account, the Passkey is just an extra option that you can enable.
You could say that a passkey acts as a combination of your password and two-factor authentication, rolled into one feature. And since the passkey never leaves your device, it is a secure way to log in to your account. Google says that passkeys are more resistant to phishing attacks, and are more secure than one-time codes that are sent over SMS text messages.
How to set up a Passkey for your Google account
1. Visit Google's Passkey creation page.
2. The website will prompt you to enter the password for your Google account.
3. Click on the Create a Passkey button.
4. Google will ask you to choose the device that you want to use for creating the Passkey. You can use your computer or mobile phone to create a passkey with your fingerprint, face, or screen lock.
5. Hit the continue button to proceed. Google will ask you to confirm the process by entering your device's screen lock code, or biometric data. That's it, you've set up a passkey.
Try it now. Log out of the account in your browser and sign in again with your passkey. No password required, that's pretty cool.
Though the steps to set up a passkey are identical across all platforms, there are some differences in the way the feature works on computers and phones. The important thing to note here is that your passkey is not synchronized across your devices. Google doesn't support passkey sync, unlike Apple does with iCloud Keychain.
But when you sign in to your Google account on a secondary device, i.e. one that does not have a passkey stored on it, the web page will offer to create a passkey on that device. You may choose to add it by confirming the device's screen lock code. Adding a secondary device is optional, Google advises users not to create passkeys on shared devices.
Wait, how do you log in on a desktop browser if you created a passkey on a phone? Google's login page will display an option that lets you "add a new phone". Select it and the site will display a QR code on the screen. Use your mobile's camera app to scan it, and approve the login process.
A few things to note
Google Passkeys are supported on devices that run on Windows 10, macOS Ventura, ChromeOS 109, iOS 16, Android 9 or above. It is also compatible with hardware security key that supports the FIDO2 protocol. A support page on the company's website claims that Passkeys are only supported on the following browsers: Chrome 109 or above, Safari 16 or up, Edge 109 or later. In truth, it works perfectly fine on all modern browsers, I actually created the Passkey using Firefox. I was also able to use it on Vivaldi, so it should work fine with other Chromium-based browsers.
The Passkey login page that I mentioned above displays options to sign in with an external security key (like Yubikey) or a fingerprint sensor, or to add a new Android phone. The third option can be a little confusing, as you're not adding a new device. Don't worry, it works with iPhones too, just point your camera app at the QR code on the screen and an option to "sign in with passkey" will appear on the screen. Tap on it, and it will authenticate the process using Face ID.
What if you lose your device? A thief wouldn't be able to access the passkey without the device's screen lock code/biometric authentication. You can remove the passkey from the device remotely via your Google account on another device. Please refer to the official support page for more details.
To opt out of signing with passkeys, go to your Google Account's Security page, and disable "Skip password when possible".
Note: Google says that Android devices will automatically create passkeys when you sign in to your Google Account. You have to opt out of it, by removing the device from your account from the Manage Devices page.
A few websites, such as PayPal have already added support for passkeys, and so have some password managers, it is only a matter of time before more of them adopt the protocol. I guess the passwordless future is here.
Have you tried Passkeys?