The passwordless future is slowly becoming a reality. This week, Google announced that you can now log into your Google account with just a passkey. It’s a huge milestone in what promises to be the incredibly long, awkward move away from using passwords for security.
In case you haven’t heard yet, passwords are terrible. People pick awful passwords to begin with, find them really hard to remember, and then don’t even use them properly. When someone gets hacked, that may just involve someone using (or reusing) a really bad password or accidentally giving it to a scammer. To try to solve these difficult problems, an industry group—including Apple, Google, and Microsoft—called the FIDO Alliance developed a system called passkeys.
Passkeys are built using what’s called the WebAuthentication (or WebAuthn) standard and public-key cryptography. It’s similar to how end-to-end encrypted messaging apps work. Instead of you creating a password, your device generates a unique pair of mathematically related keys. One of them, the public key, is stored by the service on its server. The other, the private key, is kept securely on your device, ideally locked behind your biometric data (like your fingerprint or face scan), though the system also supports PINs.
[Related: Microsoft is letting you ditch passwords. Here’s how.]
Because the keys are mathematically related, the website or app can get your device to verify that you have the matching private key and issue a one-time login without ever actually knowing what your private key is. This means that account details can’t be stolen or phished and, since you don’t have to remember anything, logging in is simple.
Take Google’s recent implementation. Once you’ve set up a passkey, you will be able to log into your Google account just by entering your email address and scanning your fingerprint or face. It feels similar to how built-in password managers work, though without any password in the mix.
Of course, passkeys are still a work in progress, and implementations are inconsistent. As ArsTechnica points out, passkeys currently sync using your operating system ecosystem. Right now, if you exclusively use Apple devices, things are pretty okay. Your passkeys will sync between your iPhone, iPad, and Mac using iCloud. For everyone else though, they’re a mess. If you create a passkey on your Android smartphone, it will sync to your other Android devices, but not your Windows computer or even your Chrome browser. There are workarounds using tools like QR codes, but it’s a far cry from the easy password-sharing built into most browsers.
[Related: Apple’s passkeys could be better than passwords. Here’s how they’ll work.]
Also, passkeys aren’t very widely supported yet. Different operating systems support them to various degrees and there currently are just 41 apps and services that allow you to use them to login. Google joining the list is a huge deal, in part because of how many services rely on Sign In With Google.
Password managers have become a good tool for managing complex, unique passwords across different devices and operating systems. These same password managers, like Dashlane and 1Password, are working to solve the syncing issues currently baked into passkeys. In a statement to PopSci, 1Password CEO Jeff Shiner said, “Passkeys are the first authentication method that removes human error—delivering security and ease of use… In order to be widely adopted though, users need the ability to choose where and when they want to use passkeys so they can easily switch between ecosystems… This is a tipping point for passkeys and making the online world safe.”
If you’re ready to try passkeys despite the sync issues and lack of support, you can read our guide on how to set up a passkey for your Google account right now. Unfortunately, this only works with regular Google accounts. Google Workspace accounts aren’t supported just yet.