For years, passwords have been the sole security measure for our online accounts. But with the prevalence of cyber attacks like phishing, they have become less secure in protecting user information and data. Technology companies such as Microsoft, Apple, and Google, along with the FIDO Alliance, have been working on adopting a simpler and more secure way to log in to accounts without relying on passwords. This alternative is called “Passkeys,” which we previously explained in our article “Is the era of passwords really over?” I suggest revisiting it to understand the story from the beginning!
Microsoft was the first to introduce the Passwordless feature, aiming to make user accounts passwordless to provide a higher level of protection against breaches. Apple followed suit and supported this new method with the iOS 16 update. Recently, Google has started supporting “password keys” to be a new option for people to use to log in to any of the company’s services, instead of relying on traditional passwords and other login mechanisms. Here, we will look at how to activate it.
What are Passkeys?
Rather than relying primarily on passwords and two-factor authentication, Passkeys aim to make passwords a secondary option or not an option at all. You can log in to any Google-related service like YouTube, Google Drive, Gmail, Blogger, or Play Store without traditional passwords or other login mechanisms like two-factor authentication or SMS messages. Instead, you use biometric authentication supported on your computer, laptop, tablet, or phone, such as fingerprint or facial recognition. Even if your device does not support biometric authentication, you can use a PIN code of at least 5 digits.
Regardless of the authentication method you choose, it will be linked to an encrypted key stored locally on the device and will act as the password behind the scenes when logging in to the account. This provides greater security and protection as there is no actual password to be secretly stolen in a phishing attack. Additionally, this key can only be used for one account. If you activate the feature on a second account on the same device, a different encrypted key will be created for that account, but both will remain linked to the authentication method you are using.
In short, Google’s new Passkeys feature is Google’s vision for securing online accounts from prevalent attacks happening every second worldwide. When activated on your account, you can use the “password key” to log in to Google’s apps and services or when suspicious activity requiring additional verification is detected. All you need to do is use the same method you use to unlock your phone or computer, whether it’s fingerprints, facial recognition, or PIN code. However, there are some conditions that must be met in order to activate and use the Passkeys feature on your Google account.
One of these conditions is that if you want to activate the feature on your computer, it must run an operating system that supports biometric authentication, so you will need at least macOS Ventura on a Mac or Windows 10 on desktops and laptops with Windows Hello enabled for screen lock. On your smartphone, the iPhone must run at least iOS 16 or an Android phone must run Android 9. The second condition is to use the latest version of trusted browsers such as version 109 of Chrome or Edge, or Safari 16 on Macs. Finally, if you activate the feature and want to log in to your account from another computer, this computer must support Bluetooth and have it enabled, to ensure the proximity of the account owner to the computer trying to log in from, thereby preventing attackers from remotely hijacking accounts.
Now let’s see how we can activate the Passkeys feature and secure our Google account.
How to Activate Passkeys Feature in Your Google Account
To activate the Passkeys feature on your Google account from your computer or laptop, you first need to open Google Chrome, Safari, or Microsoft Edge browser and make sure it is up to date. Then go to the Google Account page and after logging in to your account using your usual password, click on the “Security” section in the sidebar to display the account security control page. Here, click on the “Passkeys” option under the section “How you sign in to Google.” Alternatively, click on the link via g.co/passkeys to be directed to the required page. Then click on the “Create a passkey” button and then “Continue.”
Read Also: 6 Default Settings You Should Change in Your Google Account
You will be prompted to use the available authentication method in the operating system. For example, on Windows, Windows Hello feature is used for biometric authentication via facial recognition or fingerprint scanning or entering a PIN – depending on what is available on your computer or laptop. When the Windows Security window appears, all you have to do is confirm your identity using the method you usually use to unlock Windows. Once completed, a message “Password key created” will appear, and it will be listed on the “Passkeys” page within the account settings. According to Google, the password key is stored on the computer by the browser and will never be shared with Google or any third party.
Now “password key” has become a primary method for logging into your account on the same device. For example, if you try to log in to your Google account on a new browser from the same computer, after entering the email, a screen will show “Use your password key to prove your identity,” and after clicking “Continue,” you will be asked to use the supported authentication method in the operating system to confirm your identity and then the account will be opened.
Current login mechanisms, including passwords, will still be available when needed. For example, when facial recognition fails due to a camera issue or when logging in from another device running an older operating system that does not support Passkeys, you can use the traditional password or send a verification code via SMS. You will still have the option to “try another way” and use the traditional password or send a verification code if necessary. However, the “password key” will take priority in securing the login process.
You can also activate the Passkeys feature in your Google account directly from your smartphone, either through the web browser by following the same activation steps as on the computer, outlined in the previous paragraphs, or from within one of the Google apps installed on your phone, whether Android or iPhone. For example, if you are using the Google Search app, after launching it, click on the profile picture in the top corner of the screen, then from the menu, click on “Manage your Google account” to open a new window containing the account settings. Then go to the “Security” section, scroll down, and click on “Passkeys.” On the next screen, click the “Create a passkey” button, then “Continue.”
Once again, you will be asked to confirm your identity using the supported authentication method on your phone. For example, if you are using an iPhone, Touch ID technology is used for fingerprint scanning or Face ID for facial recognition, depending on the model you are using, as well as on Android phones. Once you confirm your identity, a message confirming the saving of the password key for future use when logging into your account will appear.
It is worth mentioning that the encrypted password key does not necessarily have to be stored locally on all smartphones but is securely stored in the cloud for synchronization across other devices you own. For example, if you activate the Passkeys feature on your Google account from your iPhone, this password key will be saved in iCloud Keychain and thus will also be available on other Apple devices you use as long as they are linked to the same iCloud account. This ensures your ability to log in using the password key if you lose your devices and makes it easier to switch from one device to another.
After activating the Passkeys feature, the identity verification window via biometric authentication will appear every time you attempt to log in to your Google account from the device where the feature was activated. Here, Google warns against using a shared phone to activate password keys for your personal account, as anyone who can unlock this phone will be able to access your account.
How to Log in Using Passkeys on a New Device
