These passkeys use public-key cryptography, so if they’re involved in a data breach, they’re useless to bad actors without your face or your fingerprint. Similarly, if your laptop or phone gets stolen, your accounts can’t be accessed because you’re not going to be around to provide the necessary authentication.
This isn’t just a Google initiative. Organizations such as the FIDO Alliance and the W3C Web Authentication group are busy working toward a passwordless future as well, so you’ll be able to use these systems across any device, whether made by Google, Apple, Microsoft, or any other hardware maker.
Setting Up and Using Passkeys
The good news is that using passkeys is as easy as unlocking your phone—it’s intended to be as straightforward as possible. You’ll be able to choose to move to a passkey system for your accounts, but only when the app you’re logging in to and the device you’re using have been upgraded with passkey support.
Let’s say Google has finished rolling out passkey support to Android, you’re logging in to an app that has been updated to use passkeys, and you’ve said yes when prompted to make the switch from a standard password. You’ll then be asked to create a passkey, which will involve you having to do the same action you do to unlock your phone—show your face, press down your fingerprint, or enter a PIN. That creates the passkey and authenticates the link between the app in question and the device in your hand. Whenever you need to log in to that app in future, you’ll need to go through the same unlock process. As with passwords, how long that authentication lasts will vary: With your banking app, you’ll usually have to log in every time, whereas with a social media account one login per device is often enough.
You’ll also be able to log in to sites on your computer through your phone via the magic of a QR code. The site will display a QR code that you scan with your phone—once you’ve gone through the unlock process on your mobile device, your identity will be confirmed and you’ll be logged in to the site.
Encrypted synchronization across devices will also be handled—Google Password Manager is adding support for passkeys, for example, so should you lose access to one device, you can still get at your accounts from another one or from the cloud, assuming you’re able to provide the necessary authentication (and you haven’t changed your fingerprints or face in the meantime).