The latest update to Google Chrome includes support for Passkeys, which are designed to provide website and app users with a passwordless sign-in experience that is both more convenient and more secure.
Passkeys are designed to simplify account registration for apps and websites, be easier to use, and work across all of your Apple devices, as well as non-Apple devices within physical proximity.
Passkeys – which will be included in iOS 16, iPadOS 16, tvOS 16, and macOS Ventura – are a standard-based technology that, unlike passwords, are resistant to phishing, are always strong, and are designed so that there are no shared secrets.
Passkeys are built on the WebAuthn standard and use a unique cryptographic key pair for each website or account. These keys are generated by the device, securely and uniquely, for every account.
One of these keys is public, and is stored on the server. This public key is not a secret. The other key is private, and is what is needed to actually sign in. The server never learns what the private key is. On Apple devices with Touch ID or Face ID available, they can be used to authorize use of the passkey, which then authenticates the user to the app or website. No shared secret is transmitted, and the server does not need to protect the public key. This makes passkeys very strong, easy to use credentials that are highly phishing-resistant. And platform vendors have worked together within the FIDO Alliance to make sure that passkey implementations are compatible cross-platform and can work on as many devices as possible.
Writing in a blog post, Google said it was adding passkey support to Chrome, which will allow users to scan a QR code on their Android or iPhone device to log in. Passkey support is also coming to Chrome on Android.
On a desktop device you can also choose to use a passkey from your nearby mobile device and, since passkeys are built on industry standards, you can use either an Android or iOS device. A passkey doesn’t leave your mobile device when signing in like this. Only a securely generated code is exchanged with the site so, unlike a password, there’s nothing that could be leaked.
Numerous other companies and apps have introduced or announced support for passkeys, including 1Password, PayPal, Microsoft, eBay, and others.