What are passkeys and how do they work? Googles new login explained

Publish date: 2024-07-25

Google is changing how you log into your account, but don’t worry — it’ll make your life easier.

This month, Google said it’s making “passkeys” the default log-in option for Google accounts. That means that instead of typing in a password, you’ll log into your Google account and Google apps with the same PIN, face ID or thumbprint you used to unlock your device.

In the ever-intensifying fight against digital criminals, passwords are a liability for people and organizations, cybersecurity experts say. Hackers frequently steal passwords in targeted attacks or sweeping data leaks, then break into online accounts to steal money or data. Consumers, meanwhile, struggle to make and remember strong passwords for what could be hundreds of online accounts.

The FIDO Alliance — an industry group that includes Amazon, Apple, Google and Meta — built passkeys in an effort to make online sign-ins simpler and safer, and the technology is showing up in more places. Google introduced passkey support in May, iOS 16 users can save passkeys to their Apple accounts, and the Meta-owned messaging app WhatsApp said Monday that it will support passkey log-ins for Android users. These decisions may signal a broader changeover on the horizon.

What is a passkey?

A passkey is an alphanumeric string that’s completely unique to you. It proves you are who you say you are, so apps and websites can let you into your account without providing a traditional password.

Advertisement

Passkeys rely on a type of cryptography called public key, where an algorithm comes together like puzzle pieces to unlock your account. When you log in, the app or website shares a “public key” algorithm with your device, which your device decodes using its unique “private key.”

To enable the passkey, all you have to do is unlock your device the normal way — with a PIN, face ID or fingerprint — when prompted. Then the app or site knows it’s you and lets you in.

In many cases, passkeys get saved to your cloud account such as Google or Apple iCloud. That means you can use the passkey from multiple devices tied to that account.

Google and other passkey supporters still accept passwords, so no worries if something goes sideways.

Help Desk tech reporter Tatum Hunter shares what you need to know about the passkey, a password alternative now supported by Google, ebay, Uber and others. (Video: Jonathan Baran/The Washington Post)

How do I set up passkeys?

Google should prompt you to set up your passkey at sign-in. Otherwise, open any Google app, click on your profile icon in the top-right corner and go to “Manage your Google Account.” From there, go to “Security” in the left-hand menu, scroll to “How you sign in to Google” and turn on passkeys.

Advertisement

Apps and websites that support passkeys should prompt you to set one up when you create a new account. This will involve unlocking your device to authenticate yourself. If you already have an account for that website or app, go to your account settings and look for options like privacy, security or passwords. You should see a way to enable passkeys.

Depending on what device you’re using, you can save passkeys to your iCloud keychain, Google Password Manager or Windows Hello — or a password manager app or browser extension.

What are the benefits?

Passkeys eliminate a few of the biggest risks and headaches that come with passwords.

First, no more remembering passwords. People and businesses spend a lot of time and money each year dealing with forgotten passwords, so passkeys save everyone some grief.

Advertisement

Passkeys also protect people and businesses against leaked credentials. When hackers compromise a company’s servers, they often use stolen username-password combinations to try to break into other sites, too. Since so many people get tired of remembering passwords and use the same ones for every account, those hackers are often successful. Passkeys drastically reduce this potential, since they are stored on the user’s device or personal cloud rather than a company’s servers.

Finally, no more hunting for that six-digit code in your text messages when you’re trying to log in. That additional safety check is called two-factor authentication, and it has helped make passwords safer. But passkeys make extra authentication unnecessary because they confirm the user’s identity from the jump.

What are the drawbacks?

Passkeys aren’t a great fit for environments where lots of people are sharing the same devices, like university libraries, said Steve Won, chief product officer at password manager company 1Password. If you share a device and don’t set up separate user profiles, other users may be able to unlock the passkey to access your Google account and Google apps. (To fix this, just set up separate user profiles that remain locked with a PIN, password or biometrics.)

Advertisement

Since passkeys are often tied to your devices, you may need to set up new passkeys if you lose your phone or laptop. Your accounts should be safe from interlopers, however, as long as they don’t know the PIN to unlock your device.

Which websites and apps support passkeys?

Building the technology to support passkeys takes time and money, so companies have been relatively slow to get on board, said Igor Kuznetsov, a researcher at cybersecurity company Kaspersky. We are still years away from a password-free life.

But the list of players that allow passkeys is steadily growing. In addition to Google, big names such as Uber, TikTok, Amazon, Microsoft, PayPal and Nintendo let you sign in with passkeys.

The more large companies support passkeys, the more pressure smaller ones will feel to switch over, Kuznetsov said. Eventually, you may have far fewer passwords to remember and type in, saving you time and brain space. (Until then, make sure you’re using long, distinct, complicated passwords and storing them in a password manager.)

ncG1vNJzZmivp6x7uK3SoaCnn6Sku7G70q1lnKedZMGmr8enpqWnl658c3yRbGZqaF9mhXC8wKyqpJ2pqHqmxM%2BlmKKmlZl6qLvOoKOeZw%3D%3D