SAN FRANCISCO (AP) — Good news for all the password haters out there: Google took a big step to make them an afterthought by adding “access keys” as a simpler and more secure way to access its services.
Here’s what you need to know:
WHAT ARE PASSKEYS?
Passkeys use a similar offering, a more secure alternative to SMS passwords and confirmation codes. Users will never see them directly; instead, an online service like Gmail will use them to communicate directly with a trusted device like your phone or computer to sign in.
All you’ll need to do is verify your identity on the device using a PIN unlock code, biometrics like your fingerprint or face scan, or a more sophisticated physical security dongle.
Google designed its passkeys to work with a variety of devices, so you can use them on iPhones, Macs, and Windows computers, as well as Google’s Android phones.
WHY ARE PASSKEYS NEEDED?
Thanks to clever hackers and human fallibility, passwords are simply too easy to steal or crack. And making them more complex only opens the door for users to defeat themselves.
For starters, many people choose passwords they can remember, and passwords that are easy to remember are also easy to hack. For years, analysis of compromised password caches found that the most commonly used password was “password123”. A more recent study of the password manager NordPass found that it is now just “password”. This is not fooling anyone.
Passwords are also often compromised in the event of security breaches. Stronger passwords are more secure, but only if you choose ones that are unique, complex, and not obvious. And once you’ve chosen “erVex411$%” as your password, good luck remembering it.
In short, passwords put security and ease of use directly at odds. Software-based password managers, which can create and store strong passwords for you, are invaluable tools that can improve security. But even password managers have a master password that you have to protect and that just lands you back in the swamp.
Besides circumventing all these problems, passkeys have one more advantage over passwords. They’re specific to certain websites, so scam sites can’t steal a passkey from a dating site and use it to loot your bank account.
HOW DO I START USING PASSKEYS?
The first step is to enable them for your Google account. On any trusted phone or computer, open your browser and sign in to your Google account. Then visit g.co/passkeys and click the “Start using passkeys” option. Here you are! The passkey feature is now enabled for that account.
If you’re on an Apple device, you’ll first be prompted to set up the Keychain app if you’re not already using it; securely stores passwords and now passkeys too.
The next step is to create the actual passkeys that will link your trusted device. If you’re using an Android phone that’s already signed in to your Google account, you’re almost there; Android phones are automatically ready to use passkeys, even if you need to enable the feature first.
On the same Google Account page above, look for the “Create a passkey” button. Pressing it will open a window and allow you to create a passkey on your current device or another device. There is no wrong choice; the system will simply notify you if that passkey already exists.
If you’re on a PC that can’t create a passkey, it will open a QR code that you can scan with the regular cameras on iPhones and Android devices. You may need to hold your phone close until you see the message “Set passkey” on the picture. Tap it and you’re on your way.
AND THEN WHAT?
From then on, logging into Google will only require you to enter your email address. If you’ve set up your passkeys correctly, you’ll simply get a message on your phone or other device asking you to enter your fingerprint, face, or a PIN.
Of course your password is still there. But if passkeys take off, the odds are good you won’t need them much. You may also choose to delete it from your account one day.