Google has spent the past several years working to replace passwords because of frequent reuse, vulnerability to data breaches, and phishing. Passkeys are the industry solution, and the ability to log in to your Google Account with them is starting to roll out.
With passkeys, signing in to a service no longer requires a password. Instead, you just enter your existing phone or computer password (PIN code, fingerprint, face, etc.), and that’s used to authenticate your identity. In Google’s case, no 2-Step Verification (2SV) is required.
Google Account passkeys
You have to create a Google Account passkey for each device (phone, tablet, laptop, desktop, etc.). Behind the scenes, a cryptographic private key gets stored on that device, while a “corresponding public key is uploaded to Google.”
When you sign in we ask your device to sign a unique challenge with the private key. Your device only does so if you approve this by unlocking the device. We then verify the signature with your public key.
If you’re signing in with a new device (or doing so temporarily), you use the passkey on your phone with a QR code scanning process and a Bluetooth proximity check.
On the new device, you’d just select the option to “use a passkey from another device” and follow the prompts. This does not automatically transfer the passkey to the new device, it only uses your phone’s screen lock and proximity to approve a one-time sign-in. If the new device supports storing its own passkeys, we will ask separately if you want to create one there.
As of launch, passkeys serve as another Google Account sign-in option. There are no changes to existing methods, while passwords are the fallback method (used if a device doesn’t support passkeys). That should change in the future:
Passkeys are still new and it will take some time before they work everywhere, however creating a passkey today still comes with security benefits as it allows us to pay closer attention to the sign-ins that fall back to passwords. Over time we’ll scrutinize these more as passkeys gain broader support and familiarity.
If one device is lost, you can revoke Google Account passkeys in settings, while a device wipe is also recommended.
To add a passkey for your Google Account, start here: g.co/passkeys. This feature is actively rolling out, with the following operating system and browser versions required:
- Google: Chrome 109+, Android 9+, ChromeOS 109+
- Apple: Safari 16+, iOS 16, macOS Ventura
- Microsoft: Edge 109+, Windows 10/11
Why passkeys are more secure
Google likes passkeys because, compared to passwords, they cannot be “written down or accidentally given to a bad actor,” phished, or exposed in a data breach. The company believes passkeys offer “stronger protection than most 2SV methods offer today, which is why we allow you to skip not only the password but also 2SV when you use a passkey.” To that end, Google is so confident that the Advanced Protection Program can just work with a passkey:
In fact, passkeys are strong enough that they can stand in for security keys for users enrolled in our Advanced Protection Program.
Google notes how Apple will sync passkeys created on your iPhone across logged-in iCloud devices:
This protects you from being locked out of your account in case you lose your devices, and makes it easier for you to upgrade from one device to another.
Passkey sync providers, like the Google Password Manager and iCloud Keychain, “use end-to-end encryption to keep your passkeys private.” In the case of Google’s Password Manager, it can sync and save other Google Accounts.
Passkeys place a great deal of emphasis on your device password. However, Google believes “most people will find it easier to control access to their devices rather than maintaining the security implications of passwords and the need to be on the lookout for phishing attempts that come with them.”
FTC: We use income earning auto affiliate links. More.