Security news that informs and inspires

Google Rolls Out Support for Passkeys in Android and Chrome

Google is introducing new support for passkeys on Android and Chrome, a technology that enables people to sign in to websites on their phones or computers using the same biometric or other screen lock mechanism they use to unlock their phones.

Passkeys are meant to eliminate the need for passwords on each site or app and provide a more seamless login experience. The system is built on a standard developed by the FIDO Alliance and W3C and using WebAuthn as the underlying authentication technology. The capability is available for developers on Android and Chrome now and Google expects to make it available to users next month with the release of Android 9.

“Passkeys follow already familiar UX patterns, and build on the existing experience of password autofill. For end-users, using one is similar to using a saved password today, where they simply confirm with their existing device screen lock such as their fingerprint. Passkeys on users’ phones and computers are backed up and synced through the cloud to prevent lockouts in the case of device loss. Additionally, users can use passkeys stored on their phone to sign in to apps and websites on other nearby devices,” Google said in a blog post Wednesday.

Passkeys offer several advantages over traditional credentials such as usernames and passwords. The most important advantage is their strong defense against phishing, as there is no username or password to steal. Passkeys also are much more convenient for users and eliminate the need to remember passwords. Passkeys also can’t be leaked or stolen.

In May, Google, Apple, and Microsoft all announced support for the passwordless sign-in standard and pledged to make the system work across their various platforms. Apple rolled out passkey support in iOS 16, which was released in September. In Apple’s implementation, the paskeys are stored in the iCloud keychain on devices, while Google syncs them through the Google Password Manager.

“A passkey on a phone can also be used to sign in on a nearby device. For example, an Android user can now sign in to a passkey-enabled website using Safari on a Mac. Similarly, passkey support in Chrome means that a Chrome user, for example on Windows, can do the same using a passkey stored on their iOS device,” Google said.

“Since passkeys are built on industry standards, this works across different platforms and browsers - including Windows, macOS and iOS, and ChromeOS, with a uniform user experience.”

Google plans to roll out an API for native Android apps later this year.