Passkeys are here to (try to) kill the password. Following Google’s beta rollout of the feature in October, passkeys are now hitting Chrome stable M108. “Passkey” is based on industry standards and is supported by all major platform vendors – Google, Apple, Microsoft – along with the FIDO Alliance. Google’s latest blog reads, “With the latest version of Chrome, we’re enabling passkeys on Windows 11, macOS, and Android.” The Google Password Manager on Android is ready to sync all your access keys to the cloud, and if you can meet all the hardware requirements and find a support service, you can now sign into something with an access key.
Passkeys are the next step in the evolution of password managers. These days, password managers are a bit of a hack: the password text box was originally for a human to manually type in text, and you were expected to remember your password. Then password managers started automating that typing and remembering, making it convenient to use longer, more secure passwords. Today, the proper way to handle a password field is to let your password manager generate a series of random, unmemorable junk characters to place in the password field. The access key removes that outdated text box interface and instead stores a secret, passes that secret to a website, and if it matches, you’re logged in. Instead of passing a randomly generated string of text, access keys use the “WebAuthn” standard to generate a public-private key pair, just like SSH.
If anyone can figure out the compatibility issues, passkeys offer some great advantages over passwords. While passwords can be used insecurely with short strings shared on many sites, a passkey is always enforced to be unique in content and secure in length. If there’s a server breach, the hacker won’t get your private key and it’s not a security problem like a leaked password would be. Passkeys are not phishable, and since they require your phone to be physically present (!!), a random hacker from around the world can’t log into your account anyway.
So let’s talk about compatibility. Today, passkeys essentially require a portable device, even if you log into a stationary PC. You are expected to use a smartphone for this, but you can also use a Macbook or iPad. The first time you set up an account on a new device, make sure your authentication device (your phone) is near the one you’re logging into. This proximity check is done via Bluetooth. All people with a password are For real aggressive by pointing out that sensitive data isn’t transferred over Bluetooth – it’s only used for a proximity check – but you’ll still need to troubleshoot the Bluetooth connection to get started.
When you sign in to an existing account on a new device, you’ll also need to choose which device you want to authenticate with (probably your phone, too). If both devices are in the same big-tech ecosystem, hopefully you’ll see a nice device menu, but if not, you’ll need to use a QR code.
Second big problem: Has everyone seen that list of operating systems at the top? Google supports Windows 11 with passwords, not Windows 10, which will make this a hard sell. Statcounter has Windows 11 at 16 percent of the total Windows install base, with Windows 10 at 70 percent. So if you happen to create a password account, you can only log in on newer Windows computers.
Keys are stored in each platform’s built-in keystore, so that’s Keychain on iOS and macOS, the Google Password Manager (or a third-party app) on Android, and “Windows Hello” on Windows 11. Some of these platforms have key synchronization across different devices, and some don’t. So logging into one Apple device should sync your access keys to other Apple devices via iCloud, and the same goes for Android via a Google account, but not Windows or Linux or Chrome OS. By the way, syncing is your escape hatch if you lose your phone. Everything is still backed up to your Google or Apple account.
Google’s documentation usually doesn’t mention Chrome OS at all, but Google says, “We’re working on enabling passwords on [Chrome for] iOS and Chrome OS.” Support for Android apps is also not there yet, but Google is also working on it.
Now that this is actually running on Chrome 108 and a supported OS, you should be able to see the password screen under the “autofill” section of the Chrome settings (or try pasting chrome://settings/passkeys into the address bar). Next, we need more websites and services that actually support using a password instead of a password to login. Google account support would be a good first step. At this time, you can use a password for two-factor authentication with Google, but you can’t replace your password just yet. Everyone’s go-to sample passkeys is the passkeys.io demo site, which we’ve got an overview of here.