Android and Chrome take their first steps towards a blissfully password-free future
Signing in to accounts sucks. Password resets, two-factor prompts, hackers breaching databases — who needs the aggravation? This is exactly why we’ve been so excited over the past few months, after Google shared word that a brave new passwordless future was on its way to Android and Chrome. Thanks to cryptographically signed passkeys stored on your phone, you’ll be able to securely and easily access your favorite services — and that all gets started today.
The idea of accessing your accounts without explicitly entering your login credentials may sound like something halfway between bizarre and just an outright bad idea, but when you really think about it and look at what Google is implementing, it’s not that far off from how we already deal with saved passwords.
Core to this concept is the idea of a “passkey” — a digital record connecting your personal information with a particular service, securely signed via chain of trust, and stored on a device like your phone. And just like other data you keep safe on your phone, you can access it with convenient biometrics like a fingerprint — which is a heck of a lot easier and more secure than typing in a password.
Android is picking up support for passkeys through the Google Password Manager, which will help keep them synced across your hardware — this is all end-to-end encrypted, so even with Google coordinating distribution of your passkeys, it can’t access them and use them to get into your accounts.
Initial support is largely built around accessing web services, and in addition to using passkeys on your phone to streamline access on mobile, you’ll also be able to use them to connect on desktop: Chrome on your PC could display a QR code for a service, that you then scan with your phone, and authorize the passkey. Up next, Google’s working on giving devs access to an Android API for native passkey support, due to arrive sometime later this year.
There’s a lot of work to go before any of this feels remotely mainstream: apps and websites need to be updated, third-party password managers need to get ready for this sea change, and users will have to be educated about these new interactions. But with the promises of of more robust mobile security, and just less of a headache for all things authentication-related, we’re very excited to see this endeavor finally starting to get underway.