Explainer: What are passkeys, how to get them, why they're safer than passwords
Goodbye passwords, passkeys are here. Passwords are all set to be deleted and relegated into the recycle bin, as a more secure alternative has now been developed. Known as ‘passkeys’, they are the new more convenient and safer way to sign into your accounts across all your computing devices, including smartphones, sans your password.
So, users don’t have to worry anymore about stitching together names of pets, birthday dates of your loved ones or favourite places to come up with easy-to-remember passwords. Now, all of this will disappear as we move towards a ‘passwordless future’. So, what are passkeys, why we should transition to them and how do we enable and get them?
What are passkeys?
Passkeys are nothing but a digital credential tied to a user account. With this new security lock, you can sign into your google accounts with your fingerprint, face scan or device screen lock or even a good old PIN. You can forget about passwords and log in with ‘passkeys’ using biometric sensors like fingerprint or face scanners, your smartphone’s device lock PIN, or physical authentication dongles like YubiKeys.
They are nothing but replacements for passwords and work on all major platforms and browsers.
Passwords have always been vulnerable to hacking. The password system was open to risks such as email phishing and keylogging, which in turn brought in security solutions like authenticator apps and two-factor verification. Yet, even these security measures were being breached and tech giants put their resources together and developed a news system that creates a world without passwords, which is fast moving into the realm of ‘legacy’ system.
Passkeys are a great security addition because they keep your account credentials safely locked and they stave off online attacks like phishing. Moreover, they also don’t require the two-factor authentication because they essentially confirm that you are the owner of your device.
Who developed passkeys?
To overcome and tackle security shortcomings, tech giants — including Microsoft, Google, and Apple — pioneered this new security system. Passkeys has been developed in collaboration with the industry association, the FIDO Alliance and the World Wide Web Consortium (W3C).
Then FIO Alliance has called its emergence as ‘very, very significant’ and an ‘inflection point’.
How do get a passerkey for your google account?
To transition your google account, first click on g.co/passkeys and log in with your username, password, and any additional authentication factors you have set up, and then follow the instructions. Also, you can click on ‘Create a passkey’ on the device you’re using. Some devices may not be compatible to create a passkey.
What you need to enable the usage of passkeys
It can be enabled on both mobile and desktop platforms.
For smartphones you need to have at least iOS 16 or Android 9. If you plan to use physical security dongle keys, like those made by Yubico, make sure that is at least FIDO-2 certified.
For desktops, PC must be running Windows 10 or MacOS Ventura. The browser has to be updated to Edge v109, Chrome v109, or Safari v16, or a later version. The devices must have a screen lock set up and should support Bluetooth connectivity.
How to create a passkey on your phone?
If you are an Android phone user, passkeys are stored in your Google Password Manager. And, they all synced between all devices with the same Google account signed in. For Apple device owners, it’s the iCloud Keychain, they have to turn to.
Here is a step-by-step guide to create a passkey for your Google account — on both Android and iOS.
Step 1: Click on the web browser of your choice and open the passkey website. Once you get on the website, you need to sign in with your Google account.
Step 2: If you have two-factor authentication, you will get an email notification and/or a Google notification asking if it is really you that entered the password and tried to log in. If you don’t have two factor authentication, you will get onto the next step
Step 3: Now you can spot a list of all the devices on which you have signed in. For some devices, passkeys have been automatically created because Android devices automatically create passkeys when you access your Google account. For others, like an iPhone or iPad, you need to tap on the blue ‘use passkeys’ button.
Step 4: After you tap on the blue button and verify the iCloud keychain prompt, a prompt will appear on the screen telling you that a passkey has been created for the device. Tap on the blue Done, and you’re good to go. Next time you try to access your Google account, your device will verify your identity with a face scan, fingerprint authentication, or screen lock.
Step 5: You can verify a passkey has been created for your iPhone or iPad by going to Settings and checking: Passwords > google.com > Passkey Options. If the passkey has been created, you will see Created Today written against the passkey option.
If you are selling your device or switching to another, you can always delete the passkey from your iPhone’s Settings section or by visiting the device dashboard of your Google account.
What else you need to know
Workspace accounts don’t function as yet. For Google Workspace accounts, administrators will soon have the option to enable passkeys for their end-users during sign-in.
Of course, like any new beginning, the change to passkeys will take time. That’s why passwords and 2SV will still work for Google Accounts.
The next step toward more passkey adoption will be when services offer it as a login option for user accounts. Until now, firms like PayPal, Shopify, CVS Health, Kayak, and Hyatt are doing this. Unlock the future with passkeys, passwords are on the way to the burial ground.