Illustration by Alex Castro / The Verge
Google announced on Wednesday morning that it has taken another step on the journey toward a passwordless future by rolling out support for passkey login to Android and Chrome. Passkeys, which let you use your phone or computer’s built-in authentication systems instead of a traditional password, have support from all the major tech companies, with Apple, Google, and Microsoft pledging to bring the feature to their OSes.
Essentially, passkeys are a credential stored on a device, like your phone or computer, that confirms to a website or application that you are who you say you are (though Google is still working on the passkey API for native Android apps). You verify your identity to the device, and it can then securely log in to sites and services you use without relying on a password that could be stolen, reused across multiple sites, or that you might be tricked into giving up to a fake customer service agent or using on a fake phishing site because you clicked the wrong link.
Today we’re also releasing passkey support @FIDOAlliance for developers on @Android & @googlechrome. This is on the heels of the #passwordless announcement we made earlier this year and in celebration of #CybersecurityAwarenessMonth https://t.co/FhwHVw9OEi
— mark risher (@mrisher) October 12, 2022
A passkey can’t be easily stolen in the same way that a password can, and because using one relies on access to a physical device, it combines the security of hardware two-factor authentication with the familiarity of smartphone use.
While the feature is currently still mostly for early adopters, the stable launch coming later this year will let people log in to supported websites using their device’s fingerprint reader or other authentication factors instead of a password.
Google made the passkey announcement in a post on the Android Developers Blog, addressed to both developers and device end users, who’ll be able to take advantage of the new feature in different ways. Now that all the platforms people use are starting to support passkeys, developers have the incentive and opportunity to make sure they actually work before the features are available to everyone.
Web developers can build support for passkey login on sites they operate by using the WebAuthn API and testing on the Chrome Canary browser or the Google Play Services beta program. For early adopters wishing to test on Android, the feature is already rolled out.
Android passkeys are stored locally on a phone, but they are also backed up to the cloud in case the device is lost. Google has an in-depth explanation of how the system works on its security blog if you want to do a deep dive.
Image: Google
When you go to login with a passkey, you’ll be prompted which account you want to log in with. After you pick, you’ll be asked to scan your fingerprint, put in your pin, or otherwise authenticate yourself as you would to unlock your phone.
Cross-platform
One of the most significant aspects of the passkey system is its cross-platform compatibility. A passkey saved on a phone can be used to authorize a web login on another nearby device, which means that (as Google has been keen to point out) an Android phone owner can sign in to a passkey-supporting website from Safari on a Mac. In terms of the user experience, this will involve scanning a QR code in a pop-up shown by the desktop site and confirming on the phone that the passkey login option should be used.
This compatibility across platforms is possible because passkey technology is built on shared, underlying industry standards known as FIDO2 and Web Authentication Level 3 rather than being a proprietary technology.
You can log in to a site on your Apple device using your Android phone just by scanning a QR code.
Passkey logins aren’t widely implemented yet, though adoption is growing and is scheduled to roll out to the major platforms throughout this year and early next year. iOS 16 and the upcoming macOS Ventura support them, as does the Dashlane password manager. As for what you can log into using passkeys, there are a few apps and websites that support them, such as Dropbox and Best Buy, but based on our tests, you have to go out of your way to actually use the feature; it’s not the default.
Overall, Google is optimistic about bringing forward the timeline of a passwordless future. A forthcoming update will bring changes to Android that allow third-party credential managers (presumably the likes of LastPass, 1Password, and others) to support passkeys for their users.
“Google remains committed to a world where users can choose where their passwords, and now passkeys, are stored,” the blog authors write. “Today is another important milestone, but our work is not done.”