These passkeys use public-key cryptography, so if they’re involved in a data breach, they’re useless to bad actors without your face or your fingerprint. If your phone or laptop is stolen, it will not be possible to access your accounts because the required authentication cannot be provided.
This is not a Google initiative. Such organizations as the FIDO alliance and W3C Web Authentication are working hard to create a passwordless future. This will allow you to access these systems on any device made by Google or Apple.
Configuring and using Passkeys
The good news is that using passkeys is as easy as unlocking your phone—it’s intended to be as straightforward as possible. Passkeys will be available for you to switch to, provided that both the app and device from which you are logging in have passedkey support.
Let’s say Google has finished rolling out passkey support to Android, you’re logging in to an app that has been updated to use passkeys, and you’ve said yes when prompted to make the switch from a standard password. You’ll then be asked to create a passkey, which will involve you having to do the same action you do to unlock your phone—show your face, press down your fingerprint, or enter a PIN. This creates the passkey, authenticates the connection between your device and the app. The same process will be required for any future logins to that app. Like passwords, the length of that authentication can vary. For example, with your banking app you will need to log in everytime, while with a social network account, only one login per device is necessary.
You can also log in via your smartphone to websites on your computer using a QR code. The site will display a QR code that you scan with your phone—once you’ve gone through the unlock process on your mobile device, your identity will be confirmed and you’ll be logged in to the site.
Encrypted synchronization across devices will also be handled—Google Password Manager is adding support for passkeys, for example, so should you lose access to one device, you can still get at your accounts from another one or from the cloud, assuming you’re able to provide the necessary authentication (and you haven’t changed your fingerprints or face in the meantime).