Passkeys allow you to sign into a website with a fingerprint, face scan, or a screen lock PIN in the same manner you unlock your device, and support for this is rolling out now with Google. These are generated on the device in conjunction with the service and sit as little keys that are used when requested.
Think of them as a little key, which only can be accessed by the user who owns the phone. Also think of this as a mass of keys that can be accessed via PIN unlock and your grandpa just got phished using 1234 as his screen unlock code by a piece of malware.
From for the user it doesn’t appear to be that different of a user experience from having Google suggest a strong password and saving it for auto fill, but it appears that the passkey never leaves the device (don’t know how that works,) and I suspect it’s probably got a lot going for it that I’m not getting from their blog.
At the moment they’re an additional method of logging into a system or service and not a complete replacement for traditional passwords, but in the future your phone might hold the primary method of logging into secure websites like your bank, or TotalFark.
I’ve read two separate things indicating that there will be no cloud backup for passkeys, and that there will. I went ahead and asked Google’s AI about it and it indicated you have the option to cloud sync them and they’ll be encrypted, but I wouldn’t trust the current state of Google’s AI chatbot to be correct.
One thing that this will do that I am looking forward to is probably stop all these websites asking you to update your password when your password on that website is never going to be compromised… ever. Forcing users to keep coming up with password after password causes users to come up with weaker passwords in my experience.
It should also make phishing a lot harder as if you’re tricked into going to a website that looks like your bank the passkey is simply not going to function which should serve as a huge red flag that something is afoot.[Googleblog]