Google passwords are a good idea. You turned them on, right?

By now you’ve probably heard that passwordless Google accounts have finally arrived. The replacement for passwords is known as “passwords”.

There are many misconceptions about password keys, both in terms of their usefulness and the security and privacy benefits they provide over current authentication methods. That’s not surprising considering passwords have been in use for 60 years and passkeys are so new. The bottom line is that with a few minutes of training, passkeys will be easier to use than passwords, and in a few months — a dozen industry partners have finished rolling out the remaining pieces — using passkeys will be even easier. . Passkeys are also much more secure and privacy-protective than passwords, for reasons I’ll explain later.

This article provides an introduction to getting people started with Google’s implementation of passkeys and explains the technical underpinnings that make them a much easier and more effective way to protect against account takeovers. A handful of smaller sites, most notably PayPal, Instacart, Best Buy, Kayak, Robinhood, Shop Pay, and Cardpointers, have rolled out several options for logging in with passwords, but those choices are more proofs of concept than working solutions. Google is the first major online service to make passkeys available, and its offerings are sophisticated and comprehensive enough to recommend people turn them on today.

Google account passkeys support enough platforms that there is no way to use them. The way someone who mainly uses Android and Linux logs in looks different and uses a different flow than someone who uses all Apple platforms or someone who uses iOS or Android with Windows. There is no way to list step-by-step instructions for all platforms in one article. Instead, this tutorial uses a mix of devices and operating systems, specifically a Pixel 7, an iPhone 13, a ninth-generation iPad, a ThinkPad running Windows 10, and a MacBook Air, with the goal of at least basic operation of all theirs.

WTF is this passcode doing on my Pixel?

By the time I woke up on Wednesday — the day Google rolled out passwordless Google accounts — my Pixel 7 had already automatically generated a password. I didn’t notice it until I accessed g.co/passkeys, which is a shortcut to myaccount.google.com/signinoptions/passkeys, the page Google installed for managing account keys. To my surprise, the key was already there. Since my account was enrolled in Google’s Advanced Protection Program (APP), this new key appeared directly above two-factor authentication keys (2FA) that APP needs to launch new browsers that log in.

As the image indicates, I used Chrome on the MacBook Air to access the page, even though Firefox is my browser of choice these days. The reason: Firefox doesn’t yet support passkeys on macOS, though that’s likely to change sooner rather than later. In the end, I decided to keep using Safari for the rest of the process, because access keys created with that browser on macOS and iOS are automatically synced through the iCloud keychain. For now, passkeys created with Chrome and Edge on Apple platforms are not.

When I visited the same g.co/passkeys page in Safari, I scrolled down and clicked “Create a Passkey” and received a dialog with a brief explanation of passkeys. From there, I clicked the “Continue” button. The next screen that appeared explained that I was saving a password that would be stored in iCloud. After I clicked “Done,” the password section of myaccounts.google.com updated to show that a new password had been created.