In their quest to make the Internet a much safer place to be, Google announced yesterday that users can now create passkeys on their devices and as such never send password data to Google or other systems which support passkeys ever again.
So?
A Passkey is a much more convenient and safer alternative to a password.
The passkey is stored in the device out of reach of hackers and is never transmitted anywhere, thus meaning you have nothing to be stolen by threat actors, or tricked into giving away by a phishing attack.
Using a passkey, users can sign in to services by simply unlocking their computer or mobile device with their fingerprint, face recognition or a local PIN.
When you use a passkey with your Google Account, it acts as a mechanism to prove to Google that you have access to your device and are able to unlock it.
Behind the scenes, a public/private cryptographic key pair is used to sign a small message which proves to Google you are the owner of the device and, as such the associated account.
This is stronger protection than most 2FA/MFA methods offer which still typically require a traditional password as part of the login method.
Using passkeys to sign in to your Google Account
Using a passkey does not mean that you have to use your mobile device every time you sign in, or that you are tied to one specific device to access your data. If you use multiple devices, you can create a passkey for each one separately.
Some platforms, such as Apples iCloud securely backup your passkeys and sync them to other devices you own.
This also protects you from being locked out of your account in case you lose a device, and makes it easier for you to upgrade from one device to another.
Using a new, or temporary device
If you want to sign in on a new device for the first time, or temporarily use a different device, you can use a passkey stored on your phone to do so.
On the new/temporary device, you will have the option to “use a passkey from another device” and follow the onscreen prompts.
This method does not transfer the passkey to the other device, but uses your phone’s screen lock and proximity to approve a one-time sign-in.
If the new/temporary device supports storing its own passkeys, you will be asked if you want to create one there.
Worried about compromise?
If you lose a device with a passkey for your Google Account and believe someone else can unlock it, then all you need to do is log in to your Google account via another device and go to your account settings.
From here, you will have the ability to revove the passkey from the lost device. If that device supports the option to remotely wipe it, consider doing that as well, especially if it also has passkeys for other services.
Google recommends that you have a recovery phone and email address linked to your account, to use as a secondary authentication method if access to your primary account is not available.
Full information about Passkeys and how to set them up, along with more technicl data on how the system works can be found on the latest Google Security Blog.