Managing passwords is pain. Tools exist to help (like password managers) but staying on top of them remains dreary work.
But a new system for securing accounts is filtering through the web—passkeys. They take away a lot of the burden associated with passwords. You simply need a device capable of serving as an authenticator to set up a passkey, then you’ll use a biometric method on that device (face identification, fingerprint) or a PIN to authorize logins. And after much anticipation, their rollout is starting to pick up steam—as evidenced by this week’s launch of passkey support for Google accounts, right on the eve of World Password Day 2023.
Passkeys first started generating buzz last year when Google, Microsoft, and Apple all pledged to adopt them. A form of passwordless sign-in based on FIDO standards, passkeys manage your login info through public-key encryption (also known as asymmetrical encryption), in which a public key and private key are generated. For a passkey, the public key is held by the website you’re logging into, while you have the private key. You can store the private key to a device, but also sync it to an account for access from other devices. The two keys together let you to get into the website. Google first started with support for storing passkeys in Chrome and Android back in October 2022. Now you can log into your Google account via passkeys, too.
Lloyd Coombes / Foundry
Why would you want to use a passkey instead of a password when you already have a strong, unique password and two-factor authentication (2FA) set up? Passkeys offer higher protection against data breaches. Google only has your public key, which can’t be used to figure out your private key. Passkeys are also bound to the website they’re generated for, which prevents bogus sites from stealing your credentials. Additional two-factor authentication isn’t needed for added protection.
You don’t have to move completely over to a passkey, however, especially if you still have questions about them after reading Google’s easy-to-read overview of how passkeys work. (I hope to address common concerns in a future article.) But the best way to understand how they work is to see them in action. Read on for instructions on enabling passkeys on your Google account.
Note: At the time we tested this feature, no obvious option existed to remove passkeys once enabled. If you find that problematic, you can try passkeys on a different service where that outcome won’t bother you.
How to enable passkeys on a Google account
- Head to myaccount.google.com.
- On the left side of the page, click on Security.
- Under How you sign into Google, click on Passkeys. If you don’t see this option, you’ll need first to click on Use your phone to sign in and link your account to a device like a phone or tablet.
- Click on the blue Use passkeys button.
Any Android devices you’re logged into with your Google account will automatically be available for passkey setup. The actual creation of the passkey won’t happen until you first authenticate via passcode and complete the process using the device, however.
You can create other passkeys by clicking the white Create a passkey button. If you’re on a PC that can’t be used to create a passkey, you’ll see a dialog box with a blue button to Use another device. Clicking on it will open another window with several options to choose from, including a different device. For that option, a QR code will appear that you’ll scan with your phone or tablet’s photo app. This is also the way to set up passkeys in a password manager. (Yep, such services are expanding and evolving, rather than waiting to die.)
By the way, if you have two-factor authentication enabled on your Google account, it won’t be asked for when you log in with a passkey. You’ll only ever be asked for a second factor when logging in with your password. Since a passkey already requires something you know (the private encryption key stored on the device) and something you have (the phone), the thinking is that people don’t need another layer for login.
What about other sites?
our favorite password manager supports passkeys
The amount of time it takes to set up a passcode is breathtakingly fast, but its implementation is still unfolding slowly, as you can see from this list hosted by password manager 1Password. Speaking of, password managers haven’t universally released passkey support yet—so far, NordPass and Dashlane (our favorite) appear to be first out the gate, though others like 1Password have plans to follow later in 2023. Passkeys are still in their early days, however. Adoption should spread faster as the months roll on.