The future is passkeys, not passwords: Google accounts are the latest to make the switch, following similar moves by Apple and Microsoft over the last couple of years (with other smaller names also making the switch). It means more convenience and more security for your account, and no need to have to remember dozens of lengthy passwords.
Essentially, a passkey means that the device you’re using (typically your phone or laptop) proves your identity with whatever screen lock is in place — PIN, facial recognition, fingerprint sensor — proving that you are who you say you are. In simple terms, the tech you use to unlock your phone becomes the tech you use to get into your digital accounts, too. They replace two-step verification as well as the password, and they work with hardware keys.
Unlike passwords, passkeys can’t be written down or leaked out on the web — they’re tied to your device. Google describes passkeys as “the future of secure sign-in, for everyone”, and if you want to make the switch now, we’ve outlined the steps required below.
What are passkeys?
Passkeys come in two parts: A public passkey that’s stored by the site or app you’re logging into, and a private passkey that’s stored on your specific devices. For this private passkey to be used for authentication, you’ll need to prove your identity: This is where your phone or laptop’s unlocking technology (like reading a fingerprint or requesting a PIN) comes in.
These private passkeys are kept encrypted and secure on individual devices. They can’t be guessed, or leak out from a server on the web, or written down. What’s more, because of the two pairs that make up the passkey, you can’t be tricked into logging into a site or app that’s not what it’s pretending to be (such as a fake banking website that’s trying to get you to part with your login credentials.
As far as the user-facing experience goes, when logging into a site or app on a new device, you’ll be given the option to switch to a passkey method, which will then be used by default the next time authentication is required. The authentication is usually only required when logging into new sites and apps on new devices — once you’re logged in, you’re logged in.
Passkeys can be synced between devices, but right now this only happens across Android, Windows, and iCloud — your credentials sync up between iPhones and Macs, for example, but not from your iPhone to your Windows laptop, or from your iPhone to your Android tablet. The process of setting up new devices on other operating systems involves a few more steps involving QR codes and Bluetooth, but it doesn’t take long.
So what happens if you lose your phone or laptop? Like password managers and password syncing today, the idea is that you always have several devices authorised, so you can use another gadget to verify your identity (and set up a replacement phone or laptop). If you lose all your devices with passkeys on them, then you’ll need to fall back to older methods to regain access to your accounts — passwords, recovery email addresses, and phone numbers.
How to set up passkeys for your Google account
You can opt to create a passkey whenever you’re signing into Google from somewhere new, but it’s perhaps easiest to head to your Google account on the web, then choose Security and Start using passkeys. You might find that some of your devices have already started creating passkeys, should you want to use them. Click Use passkeys to enable these keys and switch from passwords on these devices.
You’re also able to click Create a passkey to generate a passkey pair for the device you’re currently using. Be sure to only do this on devices only you have access to — anyone who can get past the screen lock on the device will be able to get into your Google account (which is how it currently works with passwords too, once you’re logged in).
Now, whenever you need to log into your Google account on a new app or site, you’ll be able to use a passkey and the authentication built into your device (the Touch ID sensor on a MacBook Pro, for instance) — no password required. The same prompt shows up whenever you’re making important changes, such as editing the security settings for your Google account. You’re able to revoke passkeys from your Google account page if you lose an authorised device and think someone else might be able to get past the screen lock.
While it’s still relatively early days for passkeys, support for them should get more and more widespread as time goes on — major password manager tools, for instance, are expected to start adding passkey support in the near future. Over time, switching between devices and platforms and browsers should get more straightforward.
It’s important to note that this doesn’t make your password redundant, at least not yet — so you still need to remember it or keep it logged somewhere. Your password can still be used as a backup option if a passkey doesn’t work, for example, or to recover your account if needed. Over time though, Google is betting that most people are going to prefer the simplicity and ease-of-use of passkeys.