Soon, Android users may sign-in to any website or application using just an Android device. Passwordless authentication is the future, according to leading tech companies such as Apple, Google or Microsoft.
Authentication on the Internet and on local devices relies on passwords for the most part. Some devices support other forms of authentication. On Android, users may sign-in using biometrics, including fingerprints, or by using a PIN.
Not all devices support all forms of authentication on the other hand. As far as websites and services are concerned, most require passwords to sign-in.
The requirement may soon be a thing of the past, as Google just announced the introduction of passkeys support on Android and in Chrome. Major tech companies, including Apple, Google and Microsoft, pledged support for the standard. Users on Apple devices and Windows PCs may also use the new form of authentication in the future.
Passkeys: a replacement for passwords
To better understand Passkeys, it is important to understand how sign-ins work on the Internet and on devices currently.
When a user creates an account on the Internet or in an app, a password needs to be set. This password may have certain restrictions, such as a minimum length or that certain characters need to be included, but is largely up to the user.
Some users use password managers to create secure unique passwords, but many don’t. Password reuse and the use of weak passwords are a huge problem on the Internet. Malicious actors may exploit these weaknesses to take over accounts, for instance through phishing or brute force attacks.
Passwordless authentication systems promise a safer alternative. Passkeys, which Google introduced this week on Android and in Chrome, is a passwordless authentication system.
Passkeys are built on industry standards. They are operating system agnostic, and work across apps and websites, just like passwords.
It is important to realize that Passkeys have several advantages over traditional passwords:
- Each Passkey is valid for a single app or website.
- Server breaches do not leak Passkeys, as the important information is available only on the user device.
- Phishing attacks, at least in the common form, do not work anymore, as users do not need to enter passwords when they authenticate.
Sign-in workflows do not change much with Passkeys, which is another benefit.
One downside to using Passkeys is the Android device requirement. Without the Android device, it is no longer possible to sign-in to sites and apps to authenticate. Some sites may offer fallbacks for that, but not all may provide this alternative in the future.
Sites and apps need to add support for Passkeys before the option becomes available.
The sign-in process with Passkeys
Creating an account using a passkey is a simple straightforward process. All it takes, is the selection of one of the accounts that is available on Android, and verification using one of the supported authentication options, such as using a PIN or a fingerprint.
There is no need anymore to select a password, which was a frustrating experience often.
Signing in to sites requires the same two steps. Select the account the passkey was created for in the first step, and then authenticate using any of the authentication methods available.
Passkeys work across different operating system environments. Windows, macOS, iOS, Android and ChromeOS support the authentication method, or will support it in the future.
Google notes that Android users may use their device’s passkeys functionality on their desktop, notebook and tablet devices as well; this requires the scanning of QR codes, which programs display that support the authentication feature.
A passkey on a phone can also be used to sign in on a nearby device. For example, an Android user can now sign in to a passkey-enabled website using Safari on a Mac. Similarly, passkey support in Chrome means that a Chrome user, for example on Windows, can do the same using a passkey stored on their iOS device.
Google
