Quick Links
Passkeys are Android’s first real-world step towards passwordless logins. They’re not all the way there yet, but they do take away the pain of forgetting (and remembering) passwords where they’re supported. Allow me to show you how you can log into apps and sites just by scanning your fingerprint.
Why Do Passwords Suck?
As long as we’ve had computers, we’ve needed some way to share them. A clever way to share one machine with multiple people is to give everyone a secret piece of text or “password.” Everyone has their own secret password linked to their ID or name. A list of these secret passes is saved on the computer. When someone enters a password and username combination, the computer compares it with the list of passwords it has saved.
If the combination is correct, the authentication is complete, and the computer unlocks. Later on, we used the same solution to give people access to websites on the internet. Today, usernames and passwords are some of those things we forget weren’t always around (at least I do).
The reason I’m talking about how passwords work is because it’ll help us understand why they aren't great. In the scenario we just laid out, there are two copies of the password floating around. One copy is with the user, and the other is in the computer's database.
For the end user, it’s annoying to remember passwords and even more annoying when they forget them. They also have to make their passwords harder to guess, so they can’t just pick something easy to remember (some sites even demand you create a strong password). On top of that, OTPs and other forms of Two-Factor Authentication (2FA) stretch the sign-in process even further.
Beyond just the plain inconvenience, passwords have a big security flaw inherent in the design. Since there’s a copy of your password kept in the site’s database, if it leaks, your entire account is exposed. You’ve probably heard about data breaches and how people’s usernames and passwords end up in the shady corners of the internet, en masse, and accessible to anyone.
Sometimes attackers create identical copies of reputable websites and release them on the internet in the hopes that someone mistakes their fake site for the real one and attempts to log in. This is a “phishing” attack. Once the victim takes the bait and logs into the fake website with their real password, the attacker steals the password. Phishing attacks are ridiculously common.
What Are Passkeys?
Passkeys are radically different from passwords. Instead of a password acting as the “key” to unlocking the account, passkeys work on biometric authentication. In plain words, you can log into a website or an app the same way you unlock your phone. Instead of entering a username and password, you choose the passkey option and simply scan your fingerprint or enter your PIN to sign in.
Behind the scenes, the passkey is based on two separate keys: a public key and a private key. The public key is saved on the website, and the private key is safely kept on your phone or computer. When you try to log into your account, the private key (which is tied to the public key) is used to authenticate your identity.
There is no copy of the private key saved on the website, and it’s not sent anywhere either. At no point does the service holding the public key ever see the private key.
Why Use Passkeys Over Passwords?
You should use a password manager if you aren’t already. It’s the only way to create and use unbreakable passwords on the fly. Whenever you sign up for a site or app, the password manager will request you to create and save a strong password for the new account, and then on the next visit, it’ll autofill the credentials for you.
Ever since I started using a password manager, I’ve had to rely on the manager to autofill my (strong but impossible to memorize) passwords. So whenever I have to log into a device where my password manager isn’t already set up, I have to copy the passwords from my phone manually. Passkeys save me that hassle.
If you don’t use a password manager, passkeys will still make your digital life a lot easier. You’ll never have to click that dreaded “forgot password” link. And your logins will become instant and effortless.
Passkeys are also a lot more secure and sophisticated. They are strong by default. The encrypted dual-key design is impossible to brute-force (or guess) and phish. Even if someone somehow manages to lift the private key (which is saved on the device), they can’t do anything with it without your biometric authentication.
There’s no password to steal, and there’s also no need for 2FA authentication. So, with passkeys in place, you’ll never have to wait for SMS, email, or authenticator OTPs.
Setting Up a Passkey
Google has baked the passkey feature inside the Google Password Manager app. Think of it as a replacement for the username and password combination, which we usually save in the Password Manager. Instead of a combination, we’ll now just save a passkey.
The first step is to create the passkey. If a site or app supports passkeys, it’ll automatically offer to create a passkey for you when you try to sign in with your username and password. Accept the prompt, and save the passkey to the Google Password Manager with your fingerprint scan. Alternatively, you might have to go into the app’s settings to manually create one. For example, WhatsApp has a dedicated “Passkeys” menu in the “Account” settings.
To show you how that might look in action, I’m going to create a new passkey on a website. Go to Passkeys.io if you want to follow along. It’s a demo site where you can test how passkeys work.
Start by creating a new account. Let’s give it a dummy email and press the “Create a Passkey” button. Confirm the creation with your fingerprint scan, and tap the “Continue” button.
Using a passkey is as simple as it gets. Just tap an input field and select the “Use a Passkey” menu. Some sites have a dedicated button for using passkeys next to the regular sign-in options. Do that and select a saved passkey from the pop-up menu. Then, you just have to use your screen lock to complete the sign-in.
Google will automatically offer to create passkeys for you when you successfully sign in with a Google Account on Android.
There are Some Limitations
Until very recently, passkeys were limited to the Android version of the Google Password Manager. And you had to scan a QR code with your Android phone to use passkeys on other devices. But Google is now expanding the feature to include more platforms, including Windows, macOS, Linux, and even ChromeOS.
Secondly, not every app and service has adopted passkeys yet. A lot of popular apps, including Spotify, WhatsApp, and Discord, have the feature, but a lot more are still stuck on passwords. You can check out a detailed list of all supported apps and services on this page.
Passkeys are the future. They’ll make our digital lives a lot more convenient and secure by (hopefully) replacing passwords at some point. You’re missing out if you haven’t started using them yet.