Google’s Passkey is just another nail in the password coffin

Nacho Palou    17 May, 2023

Google’s Passkey offers users the possibility of using an access key to identify themselves on websites or apps without typing their username and password.

Google explains that the passkeys replace traditional (and burdensome) passwords. A new mechanism in addition to Google’s “Skip password when possible” function, such as accepting a notification from another device.

Passkeys are an alternative to username and password credential systems.

The end of passwords is a desire and a necessity that many users have been demanding for years. Not only for convenience, but above all, for security. Passwords are “primitive” and have too many flaws.

What is a passkey?

n this context, when we talk about a passkey, we mean a digital credential that identifies us to a system (such as a web page or service, or an app) using a PIN or biometric identification.

That is, instead of authenticating ourselves by typing something we know (username and password) we also identify ourselves with something we are or have:

  • Drawing an unlock pattern on our device.
  • Type a PIN number.
  • Using our fingerprints.
  • Identifying ourselves by our faces.

The result is similar to when the operating system or web browser saves passwords. But with an additional layer of security that verifies the identity of the person trying to use those saved credentials.

How does Google Passkey work?

Unlike username and password-based credentials, passkeys use asymmetric or public key cryptography.

In other words, the credential is made up of two mathematically related keys:

  • The public key, which is stored on the website or in the app.
  • The private key, which is stored on the user’s device.

Since the website or app only stores the public key, password theft or leak does not expose the user’s credentials. An attacker with only the public key cannot do anything with it: neither identify the user nor access the user’s account.

This is one of the reasons passkeys are more secure than passwords. Even with the device that stores the private key (the other “half” of the key) an attacker will still have to circumvent one of the identification systems we mentioned —PIN, unlock pattern, fingerprint, or facial recognition.

Improved phishing protection

Passkeys keeps a record that links each private key to the app or website that holds the public key, unique in each case. So a passkey is not activated when accessing a malicious site, because can only be used on the website or app where it was generated.

Passkey are based on the FIDO standard and work on Android, Chrome, Windows, Edge, macOS, iOS, Safari, etc. …

Passkey is based on the FIDO (Fast Identity Online) specification of the FIDO Alliance that applies more robust authentication factors than passwords. Its purpose is to promote a common mechanism that saves us from remembering or managing passwords.

However, above all, it aims to strengthen security by better protecting users. This includes, for example, preventing attacks designed to steal passwords and access credentials, such as phishing attacks.

Goodbye to the two-factor authentication (2FA)

Passkey adds an additional benefit for users: passkeys make two-factor authentication (2FA) through mechanisms such as SMS codes, security calls or email links unnecessary.

Example of two-factor authentication (2FA). Photo: Photo by Ed Hardie on Unsplash

Two-factor authentication is now an essential mechanism to strengthen security and protect against credential theft or unauthorized access. However, it is also cumbersome because it requires taking a call or waiting for an SMS or email with a numeric code or link.

How to set up Google Passkey

To use Passkey the Android, iOS, Windows or macOS device must meet a series of minimum requirements that can be checked here.

To activate Passkeys:

  1. Go to and log in with your Google account.
  2. Click on the Create passkey option.
  3. Choose which device you want to create the passkey on.

Once created, the passkey is saved on the selected device. It can then be used to log in to Google without typing the username and password.

It is critical to note that once a key is created it can be used by anyone who has access to that device. For example, another person who has your mobile and knows the PIN or unlock pattern.

The passkey is stored on that device and cannot be removed, although it can be shared with other devices belonging to the same user.

In case of loss or theft of the device that stores the passkey, it will be necessary to access the Google account (this time with the usual password) and delete the keys associated with the lost device.

Featured photo: Florian Berger / Unsplash.