Google recently announced that passkey support is coming to both the Android operating system and the Google Chrome web browser—and if you're wondering exactly what that means, you're in the right place. Passkeys are essentially a replacement for passwords that are designed to be more secure. You use them instead of traditional passwords to get into your various digital accounts, whether that's Google, Twitter, Dropbox, or anything else.
You don't get an actual key. Instead, some kind of unlocking mechanism—typically facial recognition or fingerprint recognition, or just a PIN code—is used to prove you are who you say you are for the purposes of logging in.
However, it's not just a case of pressing a button and switching over. Developers need to also code passkey support into their apps and websites, which is why Google made the announcement on its Android Developers Blog.
The move is part of a broader industry push toward a passwordless future—you might have noticed that Microsoft is doing something similar. Users don't have to remember passwords, and there aren't any passwords for hackers to steal.
As Google puts it, a passkey “identifies a particular user account on some online service.” At its center is a cryptographic private key that gets stored on the devices you use. This is then matched against a public key held by the digital services you're signing into to confirm your identity.
To make sure it's really you, you'll need to unlock your phone or computer, which on a phone usually means entering a PIN code or letting your face or fingerprint get scanned. On computers, passwords may still be used to verify your identity, but the industry is moving toward biometric authentication all the time.
You don't actually see the passkey itself or need to know what it is—you just have to be you. Your face or fingerprint replaces that long list of passwords on a Post-it note that you might have, so it's much simpler and more convenient.
These passkeys use public-key cryptography, so if they're involved in a data breach, they're useless to bad actors without your face or your fingerprint. Similarly, if your laptop or phone gets stolen, your accounts can't be accessed because you're not going to be around to provide the necessary authentication.
This isn't just a Google initiative. Organizations such as the FIDO Alliance and the W3C Web Authentication group are busy working toward a passwordless future as well, so you'll be able to use these systems across any device, whether made by Google, Apple, Microsoft, or any other hardware maker.
The good news is that using passkeys is as easy as unlocking your phone—it's intended to be as straightforward as possible. You'll be able to choose to move to a passkey system for your accounts, but only when the app you're logging in to and the device you're using have been upgraded with passkey support.
Let's say Google has finished rolling out passkey support to Android, you're logging in to an app that has been updated to use passkeys, and you've said yes when prompted to make the switch from a standard password. You'll then be asked to create a passkey, which will involve you having to do the same action you do to unlock your phone—show your face, press down your fingerprint, or enter a PIN. That creates the passkey and authenticates the link between the app in question and the device in your hand. Whenever you need to log in to that app in future, you'll need to go through the same unlock process. As with passwords, how long that authentication lasts will vary: With your banking app, you'll usually have to log in every time, whereas with a social media account one login per device is often enough.
You'll also be able to log in to sites on your computer through your phone via the magic of a QR code. The site will display a QR code that you scan with your phone—once you've gone through the unlock process on your mobile device, your identity will be confirmed and you'll be logged in to the site.
Encrypted synchronization across devices will also be handled—Google Password Manager is adding support for passkeys, for example, so should you lose access to one device, you can still get at your accounts from another one or from the cloud, assuming you're able to provide the necessary authentication (and you haven't changed your fingerprints or face in the meantime).
