These access keys use public key cryptography, so if they are involved in a data breach, they are useless to the bad guys without your face or fingerprint. Likewise, if your laptop or phone is stolen, your accounts cannot be accessed because you will not be there to provide the necessary authentication.
This isn’t just a Google initiative. Organizations like the FIDO Alliance and W3C Web Authentication Group are also committed to working towards a password-free future, so you’ll be able to use these systems on any device, made by Google, Apple, Microsoft, or any other hardware manufacturer.
Configuring and using passkey
The good news is that using passwords is as easy as unlocking your phone – it’s meant to be as simple as possible. You will be able to choose to switch to a passkey system for your accounts, but only when the app you are signing in to and the device you are using have been updated with passkey support.
Let’s say Google finished rolling out passkey support on Android, you’re logging into an app that has been updated to use passkeys, and you said yes when asked to switch from a standard password. You will then be asked to create a passkey, which implies that you will have to perform the same action you do to unlock your phone: show your face, press your fingerprint or enter a PIN. This creates the passkey and authenticates the link between the app in question and the device in hand. Whenever you need to log into that app in the future, you’ll need to go through the same unlocking process. As with passwords, the duration of authentication varies: with your banking app, you’ll usually have to log in each time, while with a social media account, one login per device is often enough.
You will also be able to access sites on your computer via your phone via the magic of a QR code. The site will display a QR code that you will scan with your phone: once you have completed the unlocking process on your mobile device, your identity will be confirmed and you will be connected to the site.
Encrypted syncing between devices will also be handled – Google Password Manager is adding support for passkeys, for example, so if you ever lose access to one device, you can still access your accounts from another or the cloud, assuming that you are able to provide the necessary authentication (and you haven’t changed your fingerprint or face in the meantime).