Ask a Techspert: What are passkeys?

For those of us who’ve spent a quarter century memorizing passwords — reworking pet names, birthdays and sports teams into our sign-in credentials — it’s easy to yearn for simpler times. Plus, filling our heads with random numbers and special characters is an imperfect defense. A decade of data breaches, hacks and phishing attempts have transformed passwords from a person’s first line of defense to their primary security vulnerability.

To help, along with Apple and Microsoft, we announced last year that we would support a new sign-in standard created by the FIDO (Fast IDentity Online) Alliance that would allow people around the world to enter a “passwordless future.” This joint effort to create a safer alternative to passwords is rooted in passkeys — and starting today, you can sign up for passkeys using the "skip password when possible" prompt in your Google account.

Passkeys are a new feature on computers and smartphones that securely log you into your accounts across the web by using biometrics like a fingerprint or face scan, or a screen lock PIN. No more remembering passwords for every one of your accounts on apps and websites — passkeys take care of securely completing authentication with a service on your behalf.

While we welcome a more secure future, as with any new technology we had a few questions. To get answers, we sat down with Google Security expert Christiaan Brand. Read on for an informative Q&A with Christiaan, which has been edited for length and clarity.

In simple terms, what is a passkey?

A passkey is a FIDO credential stored on your computer or phone, and it is used to unlock your online accounts. The passkey makes signing in more secure. It works using public key cryptography and proof that you own the credential is only shown to your online account when you unlock your phone.

To sign into a website or app on your phone, you just unlock your phone — your account won’t need a password anymore.

Or if you’re trying to sign into a website on your computer, you just need your phone nearby and you’ll be prompted to unlock your phone — which will then grant you access on your computer.

You talk about a “passwordless future” — will passkeys really replace passwords?

Yes, passkeys will replace passwords. It’s even broader than that. I’d say our vision for passkeys is to not only get rid of passwords, but also eliminate all the Band-Aids the industry has designed to make up for the fact that passwords are so vulnerable.

And by “Band-Aids” you mean challenge questions like “What was your high school mascot?” or “What is your mother’s maiden name?”

Yes, but even more sophisticated fixes like multi-factor authentication, SMS messages, or authenticator apps. For example, we built the Google Authenticator App to give people an extra layer of security on the web. Passkeys will replace all of this.

We rarely hear the word “public” and “cryptography” in a single phrase — how does it actually work?

Public key cryptography has been around since the 1970s — the web is built on it. In the 1990s, Netscape developed encryption based on public keys called Secure Sockets Layer — or SSL — as a means of authenticating websites and ensuring user privacy. Secure websites all have them and it’s how you can identify whether a website is authentic and what it claims to be.

So it authenticates websites — but how does that authenticate people?

Passkeys are similar to SSL, more recently called TLS. But instead of systems authenticating each other, a person has the corresponding private key on their device. The cryptography portion of this is that the website can confirm that the user’s device — which biometrics confirm is in their possession — has the passkey. Because of the cryptography the server never actually learns what the user’s passkey actually is. That’s the magic of public key cryptography. It can validate you without knowing anything about you. It just confirms you are who you say you are.

So if this cryptography has been around since the 1970s, why have we been memorizing passwords since the 1990s?

Public key cryptography needs computing power. Up until about 2010, most people weren’t walking around with computers in their pockets.

That’s what smartphones are. Pocket computers. And while smartphones have been perceived as vulnerabilities, passkeys can transform them into the biggest shift for online security in decades.

OK, but if you lose your phone, can the person who finds it use your passkey?

No, because the phone is only part of it. In the past, logging onto a secure website required two things: You just had to have a machine to access the internet; and you needed to remember something, like your password. That means that if someone got your password all they needed was access to the internet — from anywhere.

Passkeys are an evolution. They authenticate that you are in possession of your device, and that you are the one accessing your account. It’s zero-trust in that it requires that something about you must be true. That’s more secure and simpler for people.

Your fingerprint, your face: the ability to unlock your device — these things and your device must be in your possession. If someone gets your device, they can’t do anything with your passkey. And if you lose your old device containing your passkey, you can easily create a new passkey on your new device.

And you can have more than one passkey on multiple devices?

Yes, you can have many passkeys and even have passkeys on devices shared with your family. That’s one of the big leaps. The cryptography means passkeys — however many you have, and wherever they are stored — are only useful to the user.

This seems like one of the first security advances that require people to do less.

That’s true — and that’s part of the zero-trust innovation. Since we all have a lot on our minds, we can focus on other things while simultaneously being more secure.

On innovation. They say — I think — that great innovations solve familiar problems. At their best, innovation means the problems that worry us will make our children yawn. What everyday security concerns do passkeys solve that will make my children yawn?

Three things that fall into that category:

First, passwords getting stolen. We hear every week about some company getting hacked and passwords are stolen. Since people often recycle passwords across the web, that can give bad actors access to a lot of different accounts — email, banking, social media. Passkeys stop that.

Second, authentication is imperfect and time consuming. Authentication means that even if someone gets ahold of your password, they would still need another piece of data. It’s why we built the Google Authenticator App. The app helped mitigate data breaches. But that still means a person has work to do — and it puts the burden on the individual user. It’s time consuming. The user shouldn’t be so alone in security and authentication — and for a couple of decades they largely have been.

Third, kids will look back on “phishing attempts” as amateur theatrics. Phishing is when someone sends you an email, it looks official, and you click on the link and you start typing your credentials. Phishing attempts have grown more sophisticated and sometimes people will not only be tricked into giving their username and password, but authentication info and other personal details. Plus, phishing also puts the burden on users to determine how credible an email or website looks. That’s not very technical. Passkeys can solve the phishing problem.

One question a lot of people will have — and that concerns biometrics like fingerprints and facial recognition. Do you think people should be concerned about biometrics working with their device to empower passkeys?

None of our modern devices, laptops, smartphones or desktops — even those that use biometrics — can package biometric info and send it to the cloud. Modern smartphones aren’t built to share biometrics. It’s always local and on your device. Even if your device gets stolen, the thief won’t have your biometrics to activate the passkey.

We know that new technology takes time to earn trust and achieve widespread adoption. We also live in an age when lots of new digital novelties sort of masquerade as breathtaking innovation. How can people be sure passkeys are worth their time?

They can set up passkeys next time they’re prompted by a service. Spend a little time, and then save a lot of time and mental energy after that — and be a lot more secure.