Whatsapp recently announced that it would allow Android device users to access their accounts using Passkeys in coming weeks. Meta-owned messaging platform followed Google and Apple to enable Passkey authentication instead of traditional passwords. Google has even made passkey its default authentication method across all its services. Here is an explainer on what are passkeys and how-to setup password-less authentication using any smartphone:
What are Passkeys
Click here to connect with us on WhatsApp
Passkey is deemed as a secure alternative to password. Instead of using an alphanumeric password or two-step verification via SMS, passkeys allow users to authenticate signing in requests by using biometrics such as fingerprints and facial scans.
How to set-up Google Passkey
Android devices automatically create passkeys for you when you sign in into a Google Account. To start using Google Passkey for signing-in, you need to navigate to your Google Profile and tap on Manage your Google Account. Under the Security option, you will find sign-in methods where you can check if Passkey is active on your device. If disabled, click on Passkey and then select the ‘Create Passkey’ option. Google will ask you to log in into your Account using a registered method like password or two-step verification. After successfully logging-in it will prompt you to add Passkey for the device. Tap on ‘Yes’ and Google will allow you to log-in using Passkey from next time onwards.
Since Passkeys are not limited to any particular platform, you can set-up Google Passkeys using an iOS device. To do so, open any Google application on your device and then follow the above procedure. It should be noted that Google Passkeys are not automatically generated for iOS devices. Therefore, you need to click on ‘Create Passkey’ in the sign-in methods section of the Security menu in Google Account settings.
More From This Section
Google also allows you to remove a saved passkey on your account from the manage devices option under automatically created passkeys section for Android devices and created passkey section for iOS devices.
How-to set-up Apple Passkey
Apple assigned passkeys for users to sign-in without passwords with iOS 17, iPadOS 17 and macOS Sonoma. You can create and save Passkeys for supported websites and applications by signing into your account and then navigating to account settings or the management screen of the service. When you see the option to save a passkey for the account, tap on continue. If you do not see the Passkey option, it means that the app or website does not support Passkey authentication.
Apple Passkeys are stored on iCloud keychain and can be managed from iPhone’s Settings under the Password section.
How does Passkey work
Unlike passwords, which are stored on a website’s or application’s server, Passkey is encrypted and stored in two parts – the public key is stored on the server for the website the user is signing into while the private key remains encrypted within the user's device.
Whenever there is a sign-in attempt, the website cross checks if the private key matches with the public key stored on its server. Private key includes information related to the user's fingerprints, facial scan, and PIN. To authenticate, user simply needs to unlock the device using the method they have opted for. Post signing-in, the private key remains encrypted on the user's device and is not allowed to be remembered by the website’s server.
For signing-in on multiple devices, Passkeys can be synced manually or can even be stored on security keys. For example, Apple allows passkeys to be synced with iCloud Keychain that is available across its ecosystem of devices. This eliminates the need for re-enrolling every device on every account.
Why Passkeys over Passwords
Passkeys allow faster and more secure methods for authentication as the user is not required to remember or type anything. It does not contain any alphanumeric character making every Passkey unique and never guessable. Since passkeys are stored in two parts on separate locations, these are impenetrable by fraudulent websites.