Passwordless Authentication: How to Create Passkeys With Google

Tired of trying to remember passwords? So is Google. Welcome to passwordless authentication and Google passkey. Everything is tied to your device and you login using a PIN, biometrics, or pattern. It’s a password alternative and Google’s passkeys work with a growing number of sites/services.

Passkey Requirements

Before you create a Google passkey, your device(s) need to be meet certain requirements. Google requires:

• Windows 10 or later
• macOS Ventura or later
• iOS 16 or later
• Android 9 or later
• A hardware security key with support for FIDO2 protocol
• Chrome 109 or later
• Safari 16 or later
• Edge 109 or later

Currently, passkeys don’t work on other browsers, such as Firefox.

In addition to meeting these requirements, you need to have a screen lock on your device to serve as your login. If you plan to use your phone as your passkey device to log into other devices, such as your PC, you’ll need to turn on Bluetooth as well.

Tip: If you are also using a Chromebook, learn how to change its password.

Create Google Passkeys

While there aren’t a huge number of services using passwordless authentication with Google currently, the number is expected to increase as more sites give users a reprieve from password fatigue. Obviously, your Google account allows you to create a passkey, so for the purpose of this tutorial, let’s go through adding a passkey to a Google account.

On a Mobile Device

1. Go to the Google Passkey site and log in with the Google account you want to add a passkey to. Even if you’re already logged in, you’ll be asked to verify your password.
2. Tap “Use passkeys.”

3. Tap “Done” and you’re all set. It really is that simple.

On Desktop Via Browser

If you want to create a Google passkey on your desktop, either PC or Mac, do the following:

1. Go to the Google Passkey site and log in with the Google account you want to add a passkey to. This is a good option if you want to add a passkey to a secondary Google account.
2. Click “Create a passkey.”

3. Click “Continue.” If you want to use a different device, click “Use another device” and scan the QR code with your phone or tablet.

4. Log into your computer to verify you own the device. In my case, I use my Windows PIN number.

5. Click “Done” to finish. You’ll then see a list of created passkeys.

Do you know: Google Chrome comes with a built-in password manager. Lean how to use it here.

Logging In With Your Passkey

When you set up your Google account on your mobile device, it also ticks the option to skip passwords when possible. Since you’ve already verified yourself as the owner of the account, you don’t have to log back in unless you log out.

However, you’ll use your device’s passkey to log into other devices. For example, I’ll log in to my Windows PC on the Chrome browser using the passkey I created on my Android device.

1. Go to the Google login page in Chrome, Safari, or Edge. These are the only browsers this works on. I tried it on Brave and Firefox and had to use my normal password.
2. Enter your user name as usual.
3. Tap “Continue” when prompted for your Google passkey.

4. Scan the QR code with your phone. Tap “Allow” to connect the two devices. If it’s not a shared device, you can check “Remember this computer.” If it’s a shared device, don’t check this box.

5. Once connected, you’ll confirm the login using your phone’s screen lock.

If you’re logging in on the same device that contains the passkey, all you have to do is verify your device’s screen lock. This can be a PIN, a gesture, or biometric, such as a fingerprint or retina scan.

Turn Off Passkeys

If you lose your device or decide you’d rather go back to your normal passwords, you can do that. Since passwordless authentication is still rather limited, you may still be using your password anyway.

To turn passkeys off:

1. Go to your Google login screen on any device or browser.
2. Login with your passkey or regular password. If you’ve lost the device your passkey is on, you’ll need your password instead. If you’re prompted for the passkey during login, select “Try another way” on the login screen to use a password.
3. Click the “Security” tab. On mobile, scroll to the side to find it.

4. Select “Passkeys.”

5. Scroll down to “Passkeys you created.” Click or tap the “X” next to the passkey to delete it.

6. Confirm by selecting “Remove.”

FYI: Since the Google passkey is saved in your Google account, it is very important that you take the necessary precautions to secure your Google account.

Privacy and Security Considerations

You might worry that passwordless authentication isn’t any safer than a standard password. However, in this case, whatever you use to unlock your device is never sent to the website or app that you’re logging into.

Think of it like this. You’re on a public computer and don’t want to enter your Google password. If you have a passkey attached to your phone, just scan the QR code when prompted and enter your screen lock login. All the public computer gets in return is a “yes, this is the right person.”

Sites and apps never have the same passkey. In fact, your passkey can’t be used to track you since it doesn’t share any personal information.

Another benefit is companies creating passwordless authentication, such as with Google passkey, use end-to-end encryption to protect your passkeys just like a password manager. In Google’s case, passkeys are backed up to the cloud. Without the device they were created on, there’s no way to decrypt them, which means Google and anyone that doesn’t have your device, can’t use them.

You’re also better protected from phishing sites. When you create a passkey, it’s tied to that particular site/app and that one only. If someone sets up a fake site that looks real and you try to login, your passkey won’t work. If it doesn’t work, you know something very phishy is going on.

On the other hand, passkeys can still be bypassed with a traditional password. After all, there has to be a backup login method in the event of a lost or stolen device. You still should create unique and secure passwords as a backup to your passkey. Use your favorite password manager to store them safely.

Frequently Asked Questions

What happens to 2FA if I use a passkey?

Your passkey serves as the first and second step, so 2FA is no longer needed. Since the passkey is tied to your device, using it verifies you’re the owner of the device/account.

If someone steals my device, can they use my passkeys?

Yes. This is why it’s vital to use a unique screen lock. Create a specialized gesture, pattern, or biometric login that’s not easy to duplicate.

If your device is stolen, log in to Google as quickly as possible and delete all passkeys. Then, change your passwords. This will prevent unauthorized access.

If I still have to remember a login, is it really passwordless authentication?

Technically, there is a password. However, unless you’re using a PIN, it’s not the standard numbers/letters/symbols password you’re used to typing in.

Plus, you only have to remember one password for every site you create a passkey for on the same device. Then, that device serves as your login even on other devices. The goal is to eventually have just one password or password alternative for all your sites, apps, and services.

Image credit: Unsplash