3aIT Blog

Someone holding a mobile phone about to unlock it with their thumbprintGoogle have now added themselves to the growing list of companies that support passkeys - a new way of logging in to your account that requires no password whatsoever. They join companies like Adobe, eBay, Microsoft, Paypal and Shopify in accepting this new technology.

What makes Passkey logins better than the traditional password-based method?

  • No need to remember a password - your device is the password. It uses the fact that you've successfully logged in to your main account on your device as proof you are who you say you are.
  • Enhanced security - As there's no need for passkeys to be memorable to a human, they can be far more complex, effectively ruling out brute-force attacks entirely.
  • Cross-platform compatibility - Once you're set up with passkeys, you can then start using your phone to authenticate you on every other device you use. You don't need to set the system up independently on all your devices.
  • Stronger resistance to phishing - If you don't know your password, you can't accidentally tell someone else what it is!
  • Future-proofing - As secure methods to log into your passkey device improve, all your passkeys automatically become more secure.

Is this just another passing fad?

passwordIt's possible, but unlikely this case. All the major players are implementing this - Microsoft, Apple, Google et al. Passwords have long a problem that need solving, and the weakest security point in most setups. As computers become capable of cracking the most complex password it's possible for a human to remember, it becomes a no-brainer to move the authentication to something that impossible to access remotely.

OK - I'm sold! How do I set it up?

First, you need decide what device you would like to use as your authenticator. For most people, their phone would be the most senisble choice. For Android users, if your phone is using version 9 or greater, your device is supported. For Apple users, devices with iOS 16 or up support passkeys. If you're rather use a desktop / laptop device, both MacOS and Windows 11 fully supports passkeys. Windows 10 does as well, but not as fully as 11.

You will need a login setup on whatever device you choose. For a mobile device, this will be authentication via fingerprint, face or similar. On desktop / laptop, it's likely to be face using Windows Hello, although there's other authentication methods you can use.

I sort of get it - can I just try it?

Google Search open on a mobile phoneYep. If one of the services you use support it, you can switch to this method. To use it on your Google account, for example, go to the "Manage Your Account" page, Security, then follow the steps through on "Skip password where possible" option.

If you'd just like to see how it works in theory, there's a demo system you can use here:

https://www.passkeys.io/

It's best to visit that site on the device you want to actually store the passkeys on. Once you've done that, you should find that you can then authenticate with that device if you try and login to that same website from any other device. Alternatively, you can complete the sign-in process again on another device, creating a separate passkey for the same account on that device.

That looks good - but what if I accidentally drop the device with all my passkeys into an active volcano or a passing eagle flies off with it?

A good question. If you're using an Android or iOS device and you have more than one of these (a phone and a tablet, for instance), your keys will automatically sync to both (unless you've deliberately disabled this), so losing one or the other wouldn't be a disaster.

A broken mobile phoneIt's also the case that, for now at least, companies are tending to add this facility as a convenience rather than a complete replacement. If you don't have your passkey device, you can fall back to logging in with a password for any given service.

However, things will get more interesting assuming this takes off to the point that it's the only available login option, and for the full security gains to be achieved, this will be necessary eventually. If a password login is available as a backup, that password is still a way for attackers to get at your account. At this point, there will be a risk of losing your only "key" to your entire online world. We will be closely watching as things develop to see what methods companies provide to mitigate against this risk.

Anywhere I can find more details on this?

We found the Google article on how to set things up on their accounts helpful when researching this article:

https://support.google.com/chrome/answer/13168025?sjid=8900841299588556826-EU

Here is a similar article by Apple:

https://support.apple.com/en-gb/guide/iphone/iphf538ea8d0/ios

Should I switch to passkeys everywhere now?

If it all seems to work on the devices you use, then by all means. It seems pretty likely this is the future of logins. However, bear in mind that this is a very new technology at the moment, and the kinks are still being ironed out. If it works for you now, it won't suddenly stop working. However, the devices you use need to hit certain requirements for it all to work as advertised. Additionally, companies are still working on systems to implement the fundamentals. For example, 1Password will soon be able to act as your passkey storage system, so any device you're signed into the same 1Password account will have access to a shared set of passkeys.

Our advice would be to have a play with what's possible with the demo system above with all the devices you routinely use. If it all seems to work flawlessly, then jump in! If any of the process seems awkward, wait a little while for things to develop.