By now, you’ve likely heard that passwordless Google accounts have finally arrived. The replacement for passwords is known as “passkeys.”
There are many misconceptions about passkeys, both in terms of their usability and the security and privacy benefits they offer compared with current authentication methods. That’s not surprising, given that passwords have been in use for the past 60 years, and passkeys are so new. The long and short of it is that with a few minutes of training, passkeys are easier to use than passwords, and in a matter of months—once a dozen or so industry partners finish rolling out the remaining pieces—using passkeys will be easier still. Passkeys are also vastly more secure and privacy-preserving than passwords, for reasons I’ll explain later.
This article provides a primer to get people started with Google’s implementation of passkeys and explains the technical underpinnings that make them a much easier and more effective way to protect against account takeovers. A handful of smaller sites—specifically, PayPal, Instacart, Best Buy, Kayak, Robinhood, Shop Pay, and Cardpointers—have rolled out various options for logging in with passkeys, but those choices are more proofs of concept than working solutions. Google is the first major online service to make passkeys available, and its offering is refined and comprehensive enough that I’m recommending people turn them on today.
Google account passkeys support enough platforms that there’s no single way to use them. The way a person who primarily uses Android and Linux logs in will look different and use a different flow than a person who uses all Apple platforms or a person who uses iOS or Android with Windows. There’s no way to list step-by-step instructions for all platforms in one article. This primer instead uses a mix of devices and OSes—specifically a Pixel 7, an iPhone 13, a ninth-generation iPad, a ThinkPad running Windows 10, and a MacBook Air—with the goal of at least touching on the basic workings of all of them.
WTF is this passkey doing on my Pixel?
By the time I woke up on Wednesday—the day Google rolled out passwordless Google accounts—my Pixel 7 already had a passkey automatically created. I didn’t notice until I accessed g.co/passkeys, which is a shortcut to myaccount.google.com/signinoptions/passkeys, the page Google has installed for managing account passkeys. To my surprise, the key was already there. Since my account was enrolled in Google’s Advanced Protection Program (APP), this new key appeared immediately above two-factor authentication (2FA) keys that APP requires for bootstrapping new browsers that log in.
As the image indicates, I was using Chrome on the MacBook Air to access the page even though my preferred browser these days is Firefox. The reason: Firefox does not yet support passkeys on macOS, although that will change, likely sooner than later. I ultimately decided to continue using Safari for the rest of the process because passkeys created using that browser on macOS and iOS are automatically synced through the iCloud Keychain. For the time being, passkeys created with Chrome and Edge on Apple platforms are not.
Accessing the same g.co/passkeys page in Safari, I scrolled to the bottom and clicked “Create a Passkey” and received a dialog box providing a short explanation of passkeys. From there, I clicked the “Continue” button. The next screen that appeared explained I was saving a passkey that would be stored in iCloud. Once I clicked “done,” the passkey section of myaccounts.google.com updated to indicate that a new passkey had been created.
https://arstechnica.com/?p=1937113