Passkeys rely on industry-standard APIs and protocols to ensure they are immune to phishing attacks. Google says PassKeys is the result of an industry-wide effort to combine secure authentication standards created within the FIDO Alliance and the W3C Web Authentication Working Group.
Passkeys support on Android and Chrome
A single passkey can identify a specific user account on some online service. A user can have a different passkey for different services. Google says that for a user, using Passkeys is the same as using saved passwords.
Passkey is based on a cryptographic private key, and in most cases, this private key resides only on the user’s own devices, such as laptops or mobile phones. When a passkey is created, only the corresponding public key is stored by the online service.
On Android, Google Password Manager provides backup and synchronization of passkeys. This means that if a user sets up two Android devices with the same Google account, passkeys created on one device will be available on the other device. This applies to both in case the user has multiple devices simultaneously.
Passkeys in Google Password Manager are always end-to-end encrypted. When a passkey is backed up, its private key is uploaded only in its encrypted form using an encryption key accessible only on the user’s own devices. This protects passkeys from Google or malicious attackers inside Google.
Creating or using passkeys stored in Google Password Manager requires setting up a screen lock. This prevents others from using the passkey even if they have access to the user’s device. When a user sets up a new Android device by transferring data from the old device, existing end-to-end encryption keys are securely transferred to the new device. However, if the old device is lost or damaged, users will need to restore the end-to-end encryption keys from a secure online backup.
To recover the end-to-end encryption key, the user must provide the lock screen PIN, password, or pattern of another device that has access to those keys. Google says that restoring passkeys on a new device requires both the user to sign in to a Google Account and the existing device’s screen lock. A recovery mechanism provides protection against brute-force guessing if screen lock pins and patterns are missing. After a series of incorrect attempts to provide the screen lock of an existing device, the key can be used for a long time.