According to a post on the Android Developers Blog, Google Play Services Beta and Chrome Canary members now have access to passkey functionality as early adopters. When a user’s credentials are verified, the feature will automatically enter saved passwords. It will be available to all users “later this year.”
This beta release introduces two new features, one for users and one for developers:
- On Android devices, users can create and use passkeys that are securely synced via the Google Password Manager.
- Developers can add passkey support to their websites using Chrome, the WebAuthn API, Android, and other platforms.
Passkeys provide enhanced security and improved user experiences
Passkeys, which function similarly to password managers, enable password form autofill once a device is unlocked using biometric data such as facial recognition or fingerprints, PIN, or pattern. This significantly improves security over traditional SMS, app-based one-time passwords, or push-based approvals.
“Passkeys are a more secure and safer alternative to passwords.” They also eliminate the need for traditional second-factor authentication methods,” Google stated earlier this week in a Security Blog. “Passkeys use public-key cryptography to ensure that data breaches of service providers do not compromise passkey-protected accounts, and they are built on industry-standard APIs and protocols to prevent phishing attacks.”
To create a passkey on an Android device, users must confirm their desire to do so and authenticate using their sign-in method. Passkeys are managed via Google Password Manager, and are automatically backed up to the cloud to prevent lockouts in the event of a lost device.
Passkeys have widespread industry support, and Microsoft, Apple, and Google announced extended support for the Fast Identity Online (FIDO) standard earlier this year.
“In 2022, our next milestone will be an API for native Android apps,” Google stated on the Developers Blog. “Passkeys generated via the web API will work seamlessly with apps from the same domain and vice versa.”
Users will be able to use a passkey or their saved password with the native API. The goal is to help users and developers transition to passkeys as smoothly as possible by using a familiar user experience.
Setting Up and Using Google Passkeys
The good news is that using passkeys is as simple as unlocking your phone—designed it’s to be as simple as possible. You’ll be able to switch to a passkey system for your accounts if the app you’re logging into and the device you’re using have both been upgraded to support passkeys.
Assume Google has finished rolling out passkey support to Android, you’re logging in to a passkey-enabled app, and you’ve said yes when prompted to switch from a standard password. You’ll then be prompted to create a passkey, which will require you to perform the same action as when you unlock your phone—show your face, press down your fingerprint, or enter a PIN. This generates the passkey and authenticates the connection between the app and the device in your hand. If you need to log in to that app again in the future, you’ll have to go through the same unlock process.
You’ll also be able to access websites on your computer from your phone, thanks to the magic of a QR code. The site will display a QR code for you to scan with your phone; once you’ve completed the unlock process on your mobile device, your identity will be confirmed and you’ll be logged in.
Encrypted device synchronization will also be handled. Google Password Manager, for example, is adding support for passkeys, so if you lose access to one device, you can still access your accounts from another or from the cloud, assuming you can provide the necessary authentication (and you haven’t changed your fingerprints or face in the meantime).
