Tech giant Google has introduced a new passkey feature for Android and Chrome devices to provide additional security for users.
People will soon be able to use this option to authenticate their identity by using PINs or biometric authentication to log in to any website or app instead of using a password, Google said in a blog. Google is pitching this as a safer option for users than the traditional two-factor authentication method.
Passkeys are a safer alternative to passwords and other phishable forms of authentication.
However, the feature is currently only available for developers and Google is planning to offer the passkeys feature to regular users later this year. The company is saying that one will be able to create and use passkeys on Android devices without worrying about syncing issues because it will be backed up to Google Password Manager. Backing up to a cloud service is important because when a user sets up a new Android device by transferring data from an older device, existing end-to-end encryption keys will securely get transferred to the new device, according to Google.
The developers can now enroll in the Google Play Services beta to test the new authentication standard for their Android apps. Web admins can also build passkey support on their sites for end-users using Chrome via the WebAuthn API, on Android and other supported platforms. In the coming weeks or months, Google will also release an API for native Android apps, which will allow mobile applications to use web passkeys to log in.
You will be able to easily create a passkey on your Android phone by simply choosing a Google account and then authenticating your identity using the registered fingerprint or face unlock to complete the process.
Google says a “passkey is a cryptographic private key. In most cases, this private key lives only on the user's own devices, such as laptops or mobile phones. When a passkey is created, only its corresponding public key is stored by the online service. During login, the service uses the public key to verify a signature from the private key. This can only come from one of the user's devices. Additionally, the user is also required to unlock their device or credential store for this to happen, preventing sign-ins from e.g. stolen your phone.”