Chrome and Android are killing passwords with Passkeys - and you can try it now Tom's Guide Skip to main content Tom's Guide is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Here's why you can trust us.

Chrome and Android are killing passwords with Passkeys - and you can try it now

By Anthony Spadafora published 14 October 2022 Passkeys aim to make passwords obsolete once and for all (Image credit: Shutterstock) Google has announced that passkey support will soon be available on both Android and Chrome as part of the search giant's efforts to usher in a passwordless future. Even if you use one of the best password managers to generate strong, complex passwords for each of your online accounts, you can still get hacked. This is because many online services use two-factor authentication (2FA) to further secure your accounts. (Image credit: ShutterPNPhotography/Shutterstock) The problem with 2FA or even multi-factor authentication (MFA) is the fact that hackers can use SMS-based man-in-the-middle attacks to steal the one-time passcodes sent over text to login to your accounts. This can be done by bribing someone at your wireless carrier through a process known as SIM swapping. By bringing passkeys to Android and Chrome, Google aims to further secure your online accounts in a similar way to how Apple did by adding passkey support to iOS 16 and macOS Ventura.

What are passkeys and how do they work

For those unfamiliar, passkeys are unique digital keys that are a safer and more secure alternative to traditional passwords since they can't be reused and are stored in an encrypted format on your devices. Since they aren't stored on a web server in the cloud, if a company falls victim to a data breach, your passkeys won't be exposed. Unlike with security keys, you don't have to bring an additional device with you as they are stored securely on your phone or computer. Passkeys are based on public key cryptography in which a secret private key is stored on your devices while a public key is stored on a web server. As hackers can't easily gain access to your private key, your devices and accounts are much more difficult to hack.

You can try Passkeys in Google Password Manager

(Image credit: Google) According to a new blog post (opens in new tab) from Google, the Google Password Manager backs up and syncs passkeys on Android. If you happen to have two Android devices – say one of the best Android phones and one of the best Android tablets – the passkeys created on one device are also available on the other. Passkeys in Google Password Manager are also always end-to-end encrypted. When a passkey is backed up, its private key is backed up using an encryption key that can only be accessed from your devices. While this helps protect passkeys from hackers, it also prevents Google from accessing them. If you want to use passkeys in Google Password Manager, you will need to set up screen lock on your Android device first. This is done to prevent others who may have access to your smartphone from using one of your passkeys. When it's time to sign in, you can use your saved passkeys along with your fingerprint, face or screen lock. Likewise, you can also use passkeys on your Android device to sign into a site on Chrome with your desktop or laptop. In this scenario, you need to use your phone to scan a QR code on your computer to securely sign in.

New phone no problem

As passkeys are stored on your phone, what happens when you want to upgrade to a new device? Fortunately, when you set up a new Android device, your end-to-end encryption keys are securely transferred when you move the rest of your apps and data to it. It's worth noting that in some cases such as when an older device is lost or damaged, you may need to recover your end-to-end encryption keys from a secure online backup according to Google. To do this, you will need to provide the lock screen PIN, password or pattern from another device that has access to those keys. If you need to restore passkeys on a new device, you will need to be signed into your Google Account and an existing device's screen lock. Google has also made it more difficult for hackers to try and brute force your lock screen PIN or pattern. After 10 incorrect attempts to use screen lock on an existing device, it can no longer be used. However, you can still use screen locks from your other existing devices.

Moving to a passwordless future

(Image credit: Song_about_summer / Shutterstock) Google moving away from passwords is nothing new. In fact, Google, Microsoft, Apple and other tech giants are members of the FIDO Alliance and the World Wide Web Consortium (W3C) which have been working to help drive adoption of secure authentication standards for years now. However, with the introduction of passkeys on Android, Chrome, iOS and macOS and with Microsoft planning to bring them to Windows in the near future, the password as we know it may finally be dead.Today's best Keeper Password Manager deals20% OffReduced Price (opens in new tab)Keeper Password Manager Personal (opens in new tab)$34.99 (opens in new tab)$27.99 (opens in new tab)View (opens in new tab)at Keeper (opens in new tab) (opens in new tab)Keeper Password Manager Family (opens in new tab)$74.99/year (opens in new tab)View (opens in new tab)at Keeper (opens in new tab)

Be In the Know

Get instant access to breaking news, the hottest reviews, great deals and helpful tips. Anthony SpadaforaSenior Editor Security and NetworkingAnthony Spadafora is the security and networking editor at Tom's Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he's not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. More about security The best VPN service in 2022 Hackers can steal your credit card details in the real world - how to stay safeLatest Amazon Fire TV Cube (2022) reviewSee more latest ► Topics Security See all comments (2) 2 Comments Comment from the forums murraybiscuit As passkeys are stored on your phone, what happens when you want to upgrade to a new device?
Not sure what this is saying. If it's saying that the phone stores the private key for an auth request originating on a desktop, I don't think that's the case. The phone serves as a biometric presence because a lot of desktops don't have biometrics, but a phone isn't required for webauthn. Phone and desktop set up a BT connection, which handshakes to open a more secure connection, but that doesn't transfer a private key to the phone in a desktop scenario.

This is explained better here
Ars Technica: Death to passwords: Beta passkey support comes to Chrome and Android. Reply USAFRet Didn't Microsoft say something similar a while ago?

Oh yes, they did:

2018
https://www.microsoft.com/security/blog/2018/05/01/building-a-world-without-passwords/
2021
https://www.pcmag.com/news/microsoft-accounts-no-longer-require-a-password
2022 (along with google and apple)
https://www.newsnationnow.com/business/tech/apple-google-microsoft-no-passwords/ Reply View All 2 Comments MOST READMOST SHARED1Amazon Fire TV Cube (2022) review2The best workout headphones in 20223Daily Quordle #274 - answers and hints for Tuesday, October 254The best business laptops in 20225The best laptops in 2022: 20 top picks tested and rated1The best workout headphones in 20222Daily Quordle #274 - answers and hints for Tuesday, October 253The best business laptops in 20224The best laptops in 2022: 20 top picks tested and rated5Best laptops for college students in 2022