Google added passkey support to Android and Chrome yesterday. Passkeys are a far more secure alternative to passwords and other phishable authentication factors. They can’t be used more than once, don’t leak when a server is broken into, and keep users safe from phishing attacks.
Passkeys are built on industry standards, work across multiple operating systems, and can be used for both websites and apps. Passkeys adhere to well-known UX patterns and build on the existing experience of password autofill. Using one is similar to using a saved password today, in that users simply confirm with their existing device screen lock, such as their fingerprint. To prevent lockouts in the event of device loss, passkeys on users’ phones and computers are backed up and synced via the cloud. Users can also use passcodes saved on their phone to sign in to apps and websites on other nearby devices.
passkeys and enables two key capabilities represents a significant step forward in our work:
Google Password Manager lets Android users create and use passkeys that are securely synced.
Passkey support can be added to websites for end users using Chrome’s WebAuthn API, as well as Android and other supported platforms.
Using a passkey to sign in to a website on an Android device
- confirm the passkey account information, and
- when prompted, present their fingerprint, face, or screen lock.
- The user selects the account to which they want to sign in, and
- When prompted, they present their fingerprint, face, or screen lock.
Using an Android phone and a passkey to sign in to a website on a nearby computer
- A phone passkey can also be used to sign in to another device nearby.
- For example, an Android user can now use Safari on a Mac to sign in to a passkey-enabled website.
- Passkey support in Chrome, on the other hand, means that a Chrome user, for example, on Windows, can do the same thing using a passkey stored on their iOS device.
- Because passkeys are built on industry standards, they work with a consistent user experience across multiple platforms and browsers, including Windows, macOS, iOS, and ChromeOS.
Developers can test this now by enrolling in the Google Play Services beta and using Chrome Canary. Later this year, both features will be generally available on stable channels.
In a post introducing the feature, Diego Zavala, Product Manager (Android), stated,