To create a Google Passkey, go to g.co/passkeys, log in, and click "Create a Passkey." Follow the prompts to verify your identity using your fingerprint, FaceID, or screen lock. Once done, you can use your Passkey to sign into your Google account on any supported device or browser.
Google recently announced a new feature called Passkeys for personal Google accounts, which should make it easier and more secure than passwords to sign into your account. Ironically, the new feature meant to replace passwords has been released on World Password Day.
Why do we need to replace passwords?
Sure, passwords were a great way to secure accounts when they were first introduced, but they are no longer secure enough. They are inconvenient to use, and they are vulnerable to phishing attacks and data leaks. And they put a lot of responsibility on users' shoulders, which to be honest, most people are failing in.
Even if you aren't one of these people and creating strong passwords is one of your superpowers, you'll be stunned to know how many users are often unable to create strong passwords. Passwords like 123456 or password are still the most popular passwords worldwide.
And then there are those who do end up creating a strong password but then think their job is done and reuse the password across multiple sites. Even if you are a rare breed who uses strong passwords and never reuses them, they are still vulnerable to phishing attacks, data leaks, and the more notorious "SIM swap" attacks that even render 2SV (2FA/ MFA) authentication useless.
Passkeys are a better alternative because they transcend these problems faced by passwords.
What is a Passkey?
Passkeys are a new type of passwordless authentication that uses your biometric data, like a fingerprint, face scan, or device screen lock, like a PIN, to verify your identity. This means that you don't have to remember any passwords, and you're less likely to fall victim to phishing attacks since you cannot accidentally give away your password to a harmful entity.
They are also more secure and convenient than passwords. Since they are stored on your device, they are not vulnerable to data leaks. They are also easier to use than passwords as you can sign in with a single tap or scan instead of having to type long passwords every time.
Passkeys are also unique to the website or app you are signing in to so there's no risk of reusing them.
For technical users who want a sneak peek under the hood, here's a small explainer:
Passkeys are based on the WebAuthentication (or “WebAuthn”) standard, which uses public-key cryptography. Public-key cryptography uses two keys – a public key, which is stored on the server and is visible to everyone, and a private key, which is a secret key that no one will know to encrypt the data. The private key is stored on your device and in most cases, never leaves it. In any case, it is never shared with the server.
How Do Google Passkeys Work?
When you create a passkey for your Google account, a private key is created that is stored on your device. A corresponding public key is also created, which is uploaded to Google's server.
When you want to sign in to your Google account, your device has to sign a unique challenge with the private key after your approval. Google will then verify the signature using the public key stored on their server, and if they match, you'll be signed in. Neither of the information shared with Google, i.e., the signature and the public key, will contain any personal information about your biometrics.
The device you're using for Passkeys will also ensure that the signature is only shared with Google websites and apps, and not with harmful phishing websites. So, you don't have to be as vigilant when using passkeys as with other forms of authentication.
Google has developed Passkeys with other players in the FIDO alliance; this makes Passkeys compatible with multiple devices and operating systems.
Google Passkeys, too, support various devices, operating systems, and browsers. If you're enrolled in the Advanced Protection Program, passkeys can also be used in place of security keys. These include:
- Windows laptop or desktop running Windows 10 or higher
- Mac devices running at least macOS Ventura
- iPhones running at least iOS 16
- Android devices with Android 9 or higher
- Hardware (USB) security key that supports the FIDO2 protocol
You will also need either of these browsers on your device to use Passkeys:
- Chrome browser 109 or up
- Safari browser 16 or up
- Edge browser 109 or up
Your device must also have the following enabled to be able to use Passkeys:
- Screen Lock
- Bluetooth (if you want to use a passkey on your phone to sign in to your Google account on another computer).
Passkeys might also be available on other devices. For example, if you create a passkey on your iPhone, it'll be synced to iCloud Keychain and hence, it'll be available on your Mac using the same Apple ID. Similarly, if you're using a Password Manager, like Google Password Manager, to sync your passkey, it can also be available on other devices. Password managers use end-to-end encryption on passkeys before syncing them so you can rest assured that they are still secure.
How to Create a Passkey for your Google Account
You can use any of the supported devices to create a Passkey. For the sake of this guide, we'll be showcasing the process using an iPhone on the Safari browser but the process will be the same on other devices as well.
To create a passkey, go to g.co/passkeys. You will have to verify that it's you who's trying to create a passkey by logging in to your account.
Next, tap on the 'Create a Passkey' option.
A pop-up will appear; tap 'Continue'.
Another confirmation pop-up will appear from the iCloud keychain (if you're on an Apple device) asking whether you want to save a passkey for your Google account. Tap 'Continue' again. Then, verify your identity using your fingerprint, FaceID, or screen lock.
And that's it. A passkey will be created. Tap 'Done' to close the pop-up.
Using the Passkey to Sign In
Now, the next time you want to sign into Google or any associated service, you can sign in with your Passkey.
For example, let's say you're signing into google.com. Tap 'Sign in' and enter your account details.
Then, on the 'Use your passkey' screen, tap 'Continue'.
A security pop-up from the iCloud keychain will appear; tap 'Continue' again. Then, confirm your identity using your biometrics or device passcode.
Using the Passkey to Sign In on Another Computer
If you want to sign into your Google account on another computer, you can do so using the Passkey you just created on your mobile phone. Your phone must be in proximity to your computer as a small anonymous Bluetooth message is used to check that your devices are near each other.
Let's again take the example of google.com. Click on the 'Sign in' button and enter your account details. Then, click 'Continue' on the 'Use your passkey..' screen.
Next, choose the device that has the passkey. Here, we selected 'Use a phone or tablet'.
A QR code will appear on your screen. Open your phone's camera and scan it. Tap the 'Sign in with a passkey' option. Then, confirm your identity using biometrics.
If this is a device you own, you can create a new passkey on it to make the logging-in process faster. Go to g.co/passkeys on your computer's browser and repeat the same steps as outlined above. Your account will also show the passkeys you already have on other devices.
Passkeys are the secure new direction we're moving in. Create a Passkey for your Google account and secure yourself against all kinds of threats that plague passwords.