News

Your parents will still try to write a 2048-bit RSA key on a Post-it note — RIP Passwords? Passkey support rolls out to Chrome stable With a huge list of caveats, initial Google passkey support is here.

Ron Amadeo – Dec 9, 2022 7:55 pm UTC Enlarge / Please don’t do this.Getty Images reader comments 151 with 0 posters participating Share this story Share on Facebook Share on Twitter Share on Reddit

Passkeys are here to (try to) kill the password. Following Google’s beta rollout of the feature in October, passkeys are now hitting Chrome stable M108. “Passkey” is built on industry standards and backed by all the big platform vendorsGoogle, Apple, Microsoftalong with the FIDO Alliance. Google’s latest blog says: “With the latest version of Chrome, we’re enabling passkeys on Windows 11, macOS, and Android.” The Google Password Manager on Android is ready to sync all your passkeys to the cloud, and if you can meet all the hardware requirements and find a supporting service, you can now sign-in to something with a passkey.

Passkeys are the next step in evolution of password managers. Today password managers are a bit of a hackthe password text box was originally meant for a human to manually type text into, and you were expected to remember your password. Then, password managers started automating that typing and memorization, making it convenient to use longer, more secure passwords. Today, the right way to deal with a password field is to have your password manager generate a string of random, unmemorable junk characters to stick in the password field. The passkey gets rid of that legacy text box interface and instead stores a secret, passes that secret to a website, and if it matches, you’re logged in. Instead of passing a randomly generated string of text, passkeys use the “WebAuthn” standard to generate a public-private keypair, just like SSH. Enlarge / The passkey process works a lot like autofill. Ron Amadeo

Advertisement Further ReadingPasskeysMicrosoft, Apple, and Googles password killerare finally hereIf everyone can figure out the compatibility issues, passkeys offer some big advantages over passwords. While passwords can be used insecurely with short text strings shared across many sites, a passkey is always enforced to be unique in content and secure in length. If a server breach happens, the hacker isn’t getting your private key, and it’s not a security issue the way a leaked password would be. Passkeys are not phishable, and because they require your phone to be physically present (!!) some random hacker from halfway around the world can’t log in to your account anyway. You can authenticate a Chrome instance with iOS across ecosystems, but you’ll need to use a QR code.Google

So let’s talk compatibility. Today passkeys essentially require a portable device, even if you are logging into a stationary PC. The expectation is that you’ll use a smartphone for this, but you can also use a Macbook or iPad. The first time you set up an account on a new device, you’ll need to verify that your authenticating deviceyour phoneis in close proximity to whatever you’re signing in to. This proximity check happens over Bluetooth. All the passkey people are really aggressive about pointing out that sensitive data isn’t transferred over Bluetoothit’s just used for a proximity checkbut you’ll still need to deal with Bluetooth connectivity issues to get started.

When you’re signing in to an existing account on a new device, you’ll also need to pick which device you want to authenticate with (probably also your phone)if both of these devices are in the same big-tech ecosystem, you’ll hopefully see a nice device menu, but if not, you’ll have to use a QR code. Advertisement Enlarge / Chrome’s passkey support by OS, which incredibly does not include Chrome OS.Google

Second big issue: Did everybody catch that OS listing at the top? Google supports Windows 11 with passkeysnot Windows 10which is going to make this a tough sell. Statcounter has Windows 11 at 16 percent of the total Windows install base, with Windows 10 at 70 percent. So if you happen to make a passkey account, you could only log in on newer Windows computers.

Further ReadingPasskeysMicrosoft, Apple, and Googles password killerare finally herePasskeys get stored in each platform’s built-in keystore, so that’s Keychain on iOS and macOS, the Google Password Manager (or a third-party app) on Android, and “Windows Hello” on Windows 11. Some of these platforms have key syncing across devices, and some do not. So signing in to one Apple device should sync your passkeys’ access to other Apple devices via iCloud, and the same goes for Android via a Google account, but not Windows or Linux or Chrome OS. Syncing, by the way, is your escape hatch if you lose your phone. Everything is still backed up to your Google or Apple account.

Google’s documentation mostly doesn’t mention Chrome OS at all, but Google says, “We are working on enabling passkeys on [Chrome for] iOS and Chrome OS.” There’s also no support for Android apps yet, but Google is also working on it. Enlarge / The Chrome passkey screen looks just like the normal password manager, but without the text boxes. Google

Now that this is actually up and running on Chrome 108 and a supported OS, you should be able to see the passkey screen under the “autofill” section of the Chrome settings (or try pasting chrome://settings/passkeys into the address bar). Next up we’ll need more websites and services to actually support using a passkey instead of a password to sign in. Google Account support would be a good first stepright now you can use a passkey for two-factor authentication with Google, but you can’t replace your password yet. Everyone’s go-to example of passkeys is the passkeys.io demo site, which we have a walkthrough of here. Update: You don’t necessarily need a phoneI said passkeys “require a phone” but actually it’s any portable device. It will most likely be a phone, but technically you can do the whole Bluetooth/QR Code connectivity dance with an iPad or Macbook, too. If you’re all-in on Apple, you’ll have a lot of this pain alleviated by cloud syncing, but Google doesn’t have a way to seamlessly sync passkeys to every instance of Chrome, the way it does with passwords. reader comments 151 with 0 posters participating Share this story Share on Facebook Share on Twitter Share on Reddit Ron Amadeo Ron is the Reviews Editor at Ars Technica, where he specializes in Android OS and Google products. He is always on the hunt for a new gadget and loves to rip things apart to see how they work. Email ron@arstechnica.com // Twitter @RonAmadeo Advertisement Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars