Almost everyone in the tech industry already recommends and uses password managers to create unique and hard-to-crack passwords. The vast majority of people still reuse too many passwords for too many services. On top of that, passwords themselves can be insecure when they are not properly protected by online services. To combat this, Google has added support for passwords to Chrome 108, an alternative to passwords.
According to Google, passwords are meant to address the aforementioned shortcomings of passwords. Passkeys cannot be reused for different services, cannot be leaked as part of a server breach, and they cannot be phished from unsuspecting users. Passkeys are also not exclusive to Google, making them versatile and compatible across platforms. They can be used on different operating systems and work with different browsers and a handful of password managers like 1Password, although many others have already promised to add support.
After a few months of testing, access keys are now available in Chrome for Android, macOS, and Windows 11 on websites and apps that have implemented support for them. On Chrome, passwords will be synchronized and stored in Google Password Manager. When you sign up for an account with a site that supports passkeys, you’ll be asked to create a password and then verify with your screen lock or fingerprint. Once it’s saved, you can sign in with Google Password Manager’s autofill, just as you would for any password-based service. The only difference is that you don’t have an actual password that you can print or leak.
If you want to sign in from a device where you’re not signed in, such as Chrome for desktop on someone else’s computer, you’ll still need your phone to sign in with a password. You must scan a QR code to authenticate yourself. In the process, your password itself is not transferred to the computer.
When it comes to syncing passwords across your own devices, Google only uploads end-to-end encrypted copies of your passwords to the password manager. To access them, you’ll need to authenticate yourself with one of your own devices, preventing Google or a bad actor at Google from ever getting hold of your passwords. To authenticate yourself with a password, you must also always unlock your device’s lock screen, and brute-force attacks are prevented after a maximum of 10 false attempts, making it nearly impossible to impersonate you. To restore access for the legitimate owner, Google has a number of reserves up its sleeve that the company describes in its security blog.