google app logo on mobile device

Google Passkeys: How to create one and when you shouldn’t

Google has just brought users closer to a passwordless future.

In a recent blog post, the tech giant introduced the option to create and use a safer, more convenient alternative to passwords: Passkeys, a form of digital credential. So, how do they work?

Passkeys are generated using public-key cryptography, or asymmetric encryption, which involves using a pair of public and private keys. The public key is stored on the side of the app or website, while the private key, a main component of the passkey, is stored on the device. Websites have no access to the value of the passkey. When a Google user logs in to their account using a passkey, Google checks if the website has a corresponding public key.

This method of authentication makes accounts significantly more resilient, because, unlike a password, the key can’t be phished, stolen from the website it’s stored on, or intercepted in transit. It also means the account cannot be subject to an attack as a result of a weak password or password re-use, because there is no password.

As the authors of the blog put it:

“Using passwords puts a lot of responsibility on users. Choosing strong passwords and remembering them across various accounts can be hard. In addition, even the most savvy users are often misled into giving them up during phishing attempts. 2SV (2FA/MFA) helps, but again puts strain on the user with additional, unwanted friction and still doesn’t fully protect against phishing attacks and targeted attacks like ‘SIM swaps’ for SMS verification. Passkeys help address all these issues.”

The blog authors identified some benefits users could get out of using Google passkeys:

  • Guaranteed access. Suppose you created a passkey on a Google account you access with your smartphone. In that case, you can use this passkey to access that Google account on other devices like a laptop. Synchronizing the passkey to the device isn’t needed as long as the phone is near the device and you approve the sign-in on your phone. If you create a passkey for your laptop—or for each device you own—you won’t need your phone anymore to access your Google account.
  • Backup” key. Some platforms securely back up your passkeys and sync them with other devices. For example, a passkey created on your iPhone will also be available on your other Apple devices if you’re logged in to the same iCloud account. This prevents a user from getting locked out if they lose a device. Passkeys also make upgrading to a new device easier, as you only need to sync it with the rest of your devices.
  • Phishing and breach protection. Because passkeys cannot be stolen, phishers won’t be able to get their hands on your account credentials. Similarly, passkeys cannot be reused or exposed in a data breach.
  • It can replace physical security keys. Google said that passkeys are “strong enough that they can stand in for security keys for users.” A security key is a physical device used to sign in to your accounts. Like passkeys, it’s another passwordless method of authentication. An example of a security key is YubiKey.

It’s worth noting that passkeys use the three common types of information used in MFA: Something you have (like a smartphone), something you are (your biometrics), or something you know (like a PIN or pattern). This makes passkeys a form of MFA. However, according to the FIDO Alliance, some regulatory bodies have yet to make this recognition, something the alliance is already actively working towards.

Minimum hardware and software requirements

Google has listed what you’ll need in order to create a passkeyWindows 10 or macOS Ventura (or later) running Chrome 109, Safari 16, or Edge 109 (or later), or iOS16 or Android 9 (or later) on a mobile device.

You also need to enable screen lock, especially Bluetooth, if you want to use passkeys on the phone to sign in to another device.

When you shouldn’t create a passkey

Passkeys should only be created on devices you personally control. That said, you shouldn’t be able to make a passkey using a Google Workspace account through a school or employer. However, Workspace account administrators will enable passkeys for user sign-ins “soon“. You also shouldn’t create one on devices you share with other people, like your family computer, as anyone using the device will have access to your Google account. Even if you sign out of your account, once a passkey is created on that device, anyone who can unlock the device can sign in back into your account with the passkey.

How to create a passkey in two simple steps

I used an iOS device here.

1. Go to g.co/passkeys to trigger the process.

first page you see when setting up passkey

You can also log in to your Google account. From the Home page, go to Security. Scroll down to How you sign in to Google and pick Passkeys as an added sign-in option. You’ll land on the same page as above.

another way to access passkey

2. Click Create a passkey. An overlay will display, confirming that you can create a passkey on the device. Click Continue.

prompt saying user can create a passkey on the device

Note: If you have your iCloud Keychain disabled, your device will prompt you to enable it.

iOS prompt asking users to enable iCloud KeyChain

And you’re done!

The first time you sign in, the computer displays a QR code you can scan with your mobile device’s camera. Once signed in, you may be prompted to create a passkey for the computer. As we’ve said, only agree if you don’t share the computer with anyone.

If in the future, you decide to stop using passkeys, Google gives you the option to remove them. You can also opt out of using passkeys entirely. In cases when devices have been lost or stolen, or the passkey goes missing or unavailable, you can check Google’s recommendations on this Account Help page.

Google isn’t the only company that has been working on an alternative to passwords. Apple and Microsoft have also announced they’ll support passkeys on their respective platforms to address password problems. 

Watch this space!


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

ABOUT THE AUTHOR

Jovi Umawing

Knows a bit about everything and a lot about several somethings. Writes about those somethings, usually in long-form.