Users can now create passkeys for their Google account, the company has announced on Wednesday.
Passkeys will enable users to sign in to their Google account on all major platforms and browsers with their fingerprint, face recognition, or a local PIN.
The advantages of using a passkey
A passkey is a digital key that is linked to a user account and a website or app. It lets users prove who they are without needing to type in a username, password, or provide another authentication factor.
A passkey contains a cryptographic private key that is used to generate a unique challenge signature, which is required for login. When the passkey is created, a public key is uploaded to Google, which is used to verify the signature during the login process. The signature proves the legitimacy of the device and its owner.
The public key and the signature are the only data shared with Google, they don’t contain biometric data. The passkey is stored on the enrolled device – local computer or mobile device – but can also be backed up (encrypted) to the iCloud Keychain or Google Password Manager and synced to other devices.
“Your device also ensures the signature can only be shared with Google websites and apps, and not with malicious phishing intermediaries. This means you don’t have to be as watchful with where you use passkeys as you would with passwords, SMS verification codes, etc.,” said Google’s Arnar Birgisson and Diana K Smetters.
Setting up a passkey doesn’t mean your other login credentials will stop working. “Existing methods, including your password, will still work in case you need them, for example when using devices that don’t support passkeys yet.”
How to set up passkeys for your Google account
You can set up a passkey through your Google account’s Security settings quickly and easily. You can set it up on your computer or mobile device.
If you don’t want to save a passkey on your computer, there are other options (Source: Help Net Security)
Once the option has been set up, you can sign into your Google account with your fingerprint, face recognition or a PIN.
Unlike passwords, passkeys can only exist on devices and cannot be written down or given to a bad actor by accident.
A passkey can be created for different devices, meaning that users can authenticate themselves via various devices (and not just their phone). But users are advised against creating a passkey on shared devices.
Users can use passkeys to access their account from someone else’s device, though.
“On the new device, you’d just select the option to ‘use a passkey from another device’ and follow the prompts. This does not automatically transfer the passkey to the new device, it only uses your phone’s screen lock and proximity to approve a one-time sign-in. If the new device supports storing its own passkeys, we will ask separately if you want to create one there,” they explained.
“The Bluetooth proximity check ensures remote attackers can’t trick you into releasing a passkey signature, for example by sending you a screenshot of a QR code from their own device.”
Finally, if a device with the passkey is lost or stolen, it’s easy to revoke the passkey via Google account settings.