Google on Wednesday officially rolled out support for passkeys, the next-generation authentication standard, to both Android and Chrome.
“Passkeys are a significantly safer replacement for passwords and other phishable authentication factors,” the tech giant said. “They cannot be reused, don’t leak in server breaches, and protect users from phishing attacks.”
The feature was first announced in May 2022 as part of a broader push to support a common passwordless sign-in standard.
Passkeys, established by the FIDO Alliance and also backed by Apple and Microsoft, aim to replace standard passwords with unique digital keys that are stored locally on the device.
To that end, creating a passkey requires confirmation from the end-user about the account that will be used to log in to the online service, followed by using their biometric information or the device passcode.
Signing in to a website on a mobile device is also a simple two-step process that entails selecting the account and presenting their fingerprint, face, or screen lock when prompted.
The underlying principle that powers passkeys is a mechanism called public-key cryptography, wherein the “secret” private key is stored on the user’s device while the public key is stashed by the online service.
Thus during a login process, a platform that supports passkeys uses the public key to verify a signature from the private key to confirm the authenticity of the user.
The passkey private key generated per user account for an online service is also encrypted at rest on the user’s devices with a hardware-protected encryption key.
The most compelling advantage to passkeys is that they are also browser and operating system-agnostic, meaning an Android user can log in to a passkey-enabled website using Safari on iOS or macOS, or the Chrome browser on Windows.
Google also noted that the generated passkeys are securely stored and synced to the cloud via its Password Manager to prevent lockouts, adding developers can integrate passkey support on their sites using the WebAuthn API.
“When a passkey is backed up, its private key is uploaded only in its encrypted form using an encryption key that is only accessible on the user’s own devices,” Google software engineer Arnar Birgisson said.
“This protects passkeys against Google itself, or e.g., a malicious attacker inside Google. Without access to the private key, such an attacker cannot use the passkey to sign in to its corresponding online account.”
The internet giant further said that it aims to release an API for native Android apps in 2022 that will give users a standardized way to select either a passkey or a saved password.