Passwords are a pain. People use the same insecure passwords over and over again and yet still manage to forget them, which makes protecting accounts and data challenging for big tech companies. Even when someone does use a password that is long and complex enough to be relatively secure—because, say, they have a password manager—it is still vulnerable to social engineering attacks like phishing. All in all, passwords are a terrible system for protecting personal data, sensitive information, and your dog photos—which is why Apple, Google, Microsoft, and the rest of the FIDO Alliance are so keen to replace them with an approach called passkeys. And they’re doing it right now.
This week, Google announced that it was bringing passkey support to Android and Chrome—or at least to their latest beta software. If you’re enrolled in the Google Play Services beta or the Chrome Canary channel, you will be able to use them right now to log in to websites that support them. Google says they will come to the stable releases later this year and that their next milestone for 2022 will be to release an API (an application programming interface) to allow native Android apps to support them.
Google supporting passkeys in its products is a big step towards widespread adoption. Apple started supporting passkeys on the iPhone with iOS 16 and will support them on Macs later this year with macOS Ventura. Once Google adds them to Android and Chrome, the two most popular mobile platforms and the two most popular browsers will support them. That’s huge.
Passkeys use public key cryptography to create a more secure authentication protocol than passwords. When you sign up for a new account with a passkey, your device will create a pair of keys—a public key that is shared with the service and a private key that it stores securely locked behind your biometric data or a PIN.
Because of the underlying math, the public key can be public, as its name implies. It doesn’t matter if the site gets hacked and it is released in a data breach or shared on social media, it isn’t enough to log in to your account. It only allows the website to verify that your device has the right private key saved.
And the system is set up so that all user verification is handled by your device. This means your private key is never transmitted over the internet, which makes passkeys basically impossible to phish or steal. Instead, a temporary single-use token is sent that tells the website that you have the right private key. It’s really a great system.
But perhaps the best thing about passkeys isn’t that they’re more secure, but that they’re much more convenient to use. In the blog post announcing passkey support, Google explains how you are able to create a passkey or log in to an account just using your fingerprint, face, or screen lock code—it’s literally two steps. You don’t have to worry about coming up with a long code or adding the requisite number of special symbols. And you don’t have to remember them either—they will automatically be synced in the background between your devices using Google Password Manager. Basically, the user experience will be like an autofilling password—but better and more reliable.
And, because passkeys are an industry standard, you will also be able to use your phone to log in to nearby devices regardless of what operating system they have. Say you need to print something using a friends’ Mac. You can log in to your Gmail account in Safari just by scanning a QR code on your Android phone. Really, the long sought-after passwordless future is coming soon—and it looks great.