Google begins offering ‘passkeys’ to replace passwords

Good news for all the password-haters out there: Google has taken a big step towards making them an afterthought by adding “passkeys” as a more straightforward and secure way to log in to its services.

Here’s what you need to know:

What are passkeys?
Passkeys offer a safer alternative to passwords and texted confirmation codes. Users will not ever see them directly — instead, an online service such as Gmail will use them to communicate directly with a trusted device to allow the user to log in, Associated Press reported.

All users have to do is verify their identity on the device using a PIN unlock code, biometrics such as fingerprints or face scans, or a more sophisticated physical security dongle.

Google designed its passkeys to work with a variety of devices, so users can use them on iPhones, Macs and Windows computers as well as Google’s own Android phones.

Why are passkeys necessary?

Thanks to clever hackers and human fallibility, passwords are too easy to steal or defeat. And making them more complex only opens the door to users defeating themselves.

For starters, many people choose passwords they can remember — and easy-to-recall passwords are also easy to hack. For years, analysis of hacked password caches found that the most common password in use was “password123”.

A more recent study by the password manager NordPass found that it is now only “password”. This isn’t fooling anyone.

Passwords are also frequently compromised in security breaches. Stronger passwords are more secure, but only if users choose ones that are unique, complex and non-obvious.

And once you have settled on “erVex411$%” as your password, good luck remembering it.

In short, passwords put security and ease of use directly at odds. Software-based password managers, which can create and store complex passwords, are valuable tools that can improve security.

But even password managers have a master password that needs protection — and that plunges users back into the swamp, AP reported.

In addition to sidestepping all those problems, passkeys have one additional advantage over passwords. They are specific to particular websites, so scammer sites cannot steal a passkey from a dating site and use it to raid bank accounts.

How do I start using passkeys?

The first step is to enable them for a user’s Google account. On any trusted phone or computer, open the browser and sign into the Google account. Then visit the page g.co/passkeys and click the option to “start using passkeys”.

If on an Apple device, the user will first be prompted to set up the Keychain app if it is not already in use. This securely stores passwords and now passkeys as well.

The next step is to create the actual passkeys that will connect a trusted device. Android phones are automatically ready to use passkeys, though users still have to enable the function first.

On the same Google account page noted above, look for the “Create a passkey” button. Pressing it will open a window and let users create a passkey either on the current device or on another device. There is no wrong choice; the system will simply notify users if that passkey already exists.

If on a PC that cannot create a passkey, it will open a QR code that users can scan with the ordinary cameras on iPhones and Android devices. Users may have to move the phone closer until the message “Set up passkey” appears on the image.

And then what?

From that point on, signing into Google will only require an email address. If passkeys are set up properly, users will simply get a message on their phones or other devices asking them for their fingerprint, face or a PIN.

Of course, their password is still there. But if passkeys take off, odds are good users will not need it very much. Users may even choose to delete it from their accounts someday.