Passwords are a step closer to being no more than an unpleasant memory, with Google announcing the introduction of “passkeys”; cryptographic tokens that live on your personal devices and let you sign in to Google services with your fingerprint, face or PIN. But while passkeys may be the future, they’re not exactly straightforward today.
Passkeys replace the need for passwords and two-factor authentication (such as app codes or text messages), and in theory they’re safer than both. The passkey lives on your supported device (an Android phone, iOS device or PC), and communicates with the website or service you’re trying to access in order to prove you are who you say you are.
All you’ll have to do is verify your identity on the device using the measure you already use to unlock or log in. For now, you still need to have a password associated with your Google account. But a passkey makes it so you don’t necessarily need to memorise it, so you could make it something much more complex and difficult for attackers to crack. Plus, once passkeys are eventually adopted much more widely, you’ll be able to access any service seamlessly on your personal devices.
Passkeys have one additional advantage over passwords. They’re specific to particular websites, so scammer sites can’t steal a passkey from a dating site and use it to raid your bank account.
One potential danger is that any device you create a passkey on will become a skeleton key that unlocks all your stuff. For that reason, Google cautions that you should only create them on the devices that are very personal to you. But if, for example, you need to log into a website on a shared PC, you can do so by using your own phone. The first time you’ll need to scan a QR code, but from then on you’ll just get a prompt to unlock your phone to log in on the shared device.
If you’re keen to experience the future today, you can start using passkeys by going to g.co/passkeys and signing in (it may say you’re not allowed to do it if you’re using a work account). Click the option to “start using passkeys,” and from now on the Google Account sign-in screen will skip the passwords entirely. Android devices create passkeys automatically, but on computers or iPhones you’ll need to return to this page and create them manually.
If you’re on an Apple device, you’ll first be prompted to set up the Keychain app if you’re not already using it; it securely stores passwords and now passkeys as well. If you’re on an Android, they’ll be synced to the cloud using Google’s password manager. This way you won’t lose your passkeys if you change your phone.