Chrome now supports passkeys, the password killer

The Google Chrome browser now supports something new to secure your life: passkeys, a stronger, leak-proof version of a password that can use your phone as a token to authorize you to websites.

Passkeys can and will be stored inside the Google Password Manager, or inside apps that support passkeys within future versions of Android, Google said. Passkeys are enabled in the lastest version of Chrome in both Windows 11, macOS, and Android.

Passkeys are surprisingly easy to understand. You’re familiar with a username and password. The latter should be a complex series of letters and numbers — the longer the password the more secure it is, in general. But once they’re exposed in a breach, they can be surprisingly easy to crack. It’s why a password manager, even a free password manager, is the ideal solution — a password manager can generate pseudo-random passwords and store them securely.

But a passkey isn’t a password at all. It’s simply a token that’s stored on your phone. When asked to authenticate you, the token on your phone communicates with the site or app in question. No password is ever used, so no password is ever exchanged or stored.

“A passkey doesn’t leave your mobile device when signing in like this,” Google said. “Only a securely generated code is exchanged with the site so, unlike a password, there’s nothing that could be leaked.” It’s part of an agreement Apple, Google, and Microsoft made in May.

In the real world, then, here’s an example of what you might see:

Passkeys will be stored in password managers, but they don’t actually use passwords to authenticate you.Google

In the example (a fictional bank illustrated by Google), you have the choice of entering a stored password, or using a passkey instead. The user is asked to authenticate the password by simply using their screen lock, presumably a fingerprint reader. One difference here is that some mobile banking apps already allow you to do this. Here, the user is accessing the website itself and is using the same biometric login.

Naturally, you probably wouldn’t use your bank’s website when you could use the (presumably safer) app. But this new capability in Chrome will allow you to replace passwords with passkeys on theoretically any website, provided the site supports them.

On a desktop PC, the process would work in a similar manner. A passkey could presumably replace any site’s password. Here, you would have three options: log in with Windows Hello via your face or fingerprint; log in with your nearby smartphone, much as you would on mobile; or use a USB security key. All three are viable options.

A user uses their smartphone to authenticate with a passkey while accessing a site on their PC, in this example.Google

Replacing passwords with passkeys won’t happen overnight. But as more sites sign on to using them, passkeys will become more important — and so will your phone, as a digital “wallet” for storing them.

Android, Browsers, Security