What are Passkeys?
Passkeys are a safer and easier alternative to passwords. It’s a digital credential that is tied to a user account, website or application. Passkeys are built on FIDO standards (Fast Identity Online), enabling all browsers to adopt them. Its main aim is to replace legacy authentication mechanisms such as passwords.
How do Passkeys work?
When a user wants to sign in to a service that uses passkeys, their browser or operating system will help them select and use the right passkey. To make sure only the rightful owner can use a passkey, the system will ask them to unlock their device. Users can sign in to apps and websites with either a biometric sensor (fingerprint or facial recognition), PIN or pattern, freeing them from having to remember and manage passwords.
Users can select an account to sign in with and not need to type the username. Users can seamlessly switch to a new device and immediately use it without needing to re-enroll. On Android, passkeys can be stored in the Google Password Manager, which synchronizes passkeys between the user’s Android devices that are signed into the same Google Account.
Passkeys are available on phones and can be used when logging into a laptop, even if the passkey isn’t synchronized to a laptop, as long as the phone is near the laptop and the user approves the sign-in on the phone.
What makes Passkeys very secure?
Passkeys use Public Key Cryptography, reducing threats from potential data breaches such as phishing attacks, brute force attacks, session hijacking & credential stuffing attacks. When a user creates a passkey with a site or application, this generates a public-private key pair on the user’s device. The public key is stored by the site, but this alone is useless to an attacker. An attacker can’t derive the user’s private key from the data stored on the server, which is required to complete authentication.
Advantages of Passkeys
Security: Passkeys provide a layer of security by verifying the identity of users before granting access.
User-Friendly: Passkeys can be designed to be user-friendly, allowing individuals to choose and remember passkeys that are meaningful to them.
Confidentiality: Passkeys can be kept confidential and known only to the authorized user.
Multi-Factor Authentication (MFA): Passkeys can be used as part of multi-factor authentication methods, combining two or more types of authentication factors (e.g., password and biometric scan).
Convinient: Instead of remembering passwords for different sites, users can use passkeys.
Google Lockout: Locks out an account from illegal access incase of a Brute Force attack.
They are resistant to phishing because they are not sent over the network.
Enable Passkeys in Google Workspace
Getting Started
Passkeys are currently in open beta within all Google Workspace editions. To get started, Admins should first access their organization’s Google Admin Console, where they should navigate the menu i.e Security > Authentication > Passwordless.
Google Admin Console enabling skipping passwords for users in Organization.
Note that by default, the setting “Allow users to skip passwords at sign-in” is turned off. An Admin can decide to choose to turn the feature on for the entire organization by selecting the top organizational unit or turn on the feature for a specific group by selecting a sub-organizational unit, which can override the inherited setting from the parent-organizational unit.
Setting up Passkeys
When a user is informed that Passkeys are enabled, they can navigate to g.co/passkeys, where they can begin the setup process for Passkeys.
QR Code provided for creating new passkey
If they have no Passkey associated with their Google account, they can click the Create a passkey button, which will bring up a QR code for them to scan using the camera of the device where they want to create the passkey.
When the QR Code is scanned (Illustration here), the user will be prompted to access a link with the format “FIDO:/35…”, where they will be asked whether they want to allow their mobile device to connect to the requesting device with the QR Code. They can also check the box “Remember this computer” if they trust the device.
When the QR Code is scanned (Illustration here), the user will be prompted to access a link with the format “FIDO:/35…”, where they will be asked whether they want to allow their mobile device to connect to the requesting device with the QR Code. They can also check the box “Remember this computer” if they trust the device.
The mobile device will establish a connection to the computer, and inform the user that they can either use their fingerprint, face or screen lock to verify their identity with a passkey. The user’s email where the passkey will be used will be displayed for confirmation.
The user will be prompted to input either their fingerprint, face or PIN depending on their preference, which will finalize their registration, with their computer verifying the success of the passkey creation.
Successful generation of passkey.
The user will then be able to view the passkeys created and associated with their Google account.
List of created Passkeys
Sign-in Via Passkey
When the user accesses their account, they will see a notification guiding them on how to use their newly created passkey by clicking on “Try another way”.
Notification to use try passkeys
Here, they will see the option to sign in using their passkey.
Different Sign In options
By clicking on “Use your passkey”, a popup will appear asking them if they will use the passkey generated on the most recent device, or if they want to use a different device.
A prompt will appear on the chosen device (Illustration here), asking the user to verify their identity on the computer. When clicked, the mobile device will attempt to connect to the computer, then ask for either the fingerprint, face scan or PIN, depending on what the user chose during setup. When their identity is successfully verified, the user will receive a notification that “Sign-in succeeded” on their mobile device, and they will be able to access their Google account on the computer.
Check what you need to create a passkey
You can create passkeys on these devices:
A laptop or desktop that runs at least Windows 10, macOS Ventura, or ChromeOS 109
A mobile device that runs at least iOS 16 or Android 9
A hardware security key that supports the FIDO2 protocol
Your computer or mobile device will also need a supported browser like:
Chrome 109 or up
Safari 16 or up
Edge 109 or up
To create and use a passkey, your device must have the following enabled:
Screen lock
Bluetooth
If you want to use a passkey on a phone to sign in to another computer
Tip: To ensure the best passkeys experience, we recommend you update to the latest available releases for your operating system.
Depending on your operating system and browser, you may not be able to create or use passkeys while in private browsing mode like incognito or other equivalents.
Additional resources
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article