Soon, Android users will be able to log into any website or application using just an Android device. Passwordless authentication is the future, according to major technology companies such as Apple, Google or Microsoft.
Authentication on the Internet and on local devices relies heavily on passwords. Some devices support other forms of authentication. On Android, users can log in using biometrics, including fingerprints, or using a PIN.
Not all devices support all forms of authentication. When it comes to websites and services, most require passwords to log in.
This requirement may soon be a thing of the past, as Google has just announced the introduction of passkey support on Android and in Chrome. Major tech companies including Apple, Google and Microsoft have pledged to support the standard. Apple device and Windows PC users will also be able to use the new form of authentication in the future.
Passkeys: a replacement for passwords
To better understand access keys, it is important to understand how connections currently work on the Internet and on devices.
When a user creates an account on the Internet or in an application, a password must be set. This password may have certain restrictions, such as a minimum length or that certain characters must be included, but is largely up to the user.
Some users use password managers to create secure one-time passwords, but many don’t. Password reuse and the use of weak passwords is a huge problem on the Internet. Malicious actors can exploit these weaknesses to take control of accounts, for example through phishing or brute force attacks.
Passwordless authentication systems promise a more secure alternative. Passkeys, which Google introduced this week on Android and in Chrome, is a passwordless authentication system.
Security keys are built on industry standards. They are operating system independent and work across apps and websites just like passwords.
It is important to realize that Passkeys have several advantages over traditional passwords:
- Each Passkey is valid for a single application or website.
- Server breaches do not disclose access keys, as important information is only available on the user’s device.
- Phishing attacks, at least in their common form, no longer work because users don’t need to enter a password when authenticating.
Login workflows don’t change much with Passkeys, which is another plus.
One of the downsides of using Passkeys is the requirement for an Android device. Without the Android device, it is no longer possible to log into sites and applications to authenticate. Some sites may provide workarounds for this, but not all may provide this workaround in the future.
Sites and apps must add access key support before the option is available.
The login process with Passkeys
Creating an account using a password is a simple and straightforward process. All it takes is selecting one of the available accounts on Android and verifying using one of the supported authentication options, such as using a passcode. PIN or fingerprint.
You no longer have to select a password, which was often a frustrating experience.
Connecting to sites requires the same two steps. Select the account for which the authentication key was created in the first step, then authenticate using one of the available authentication methods.
Security keys work in different operating system environments. Windows, macOS, iOS, Android, and ChromeOS support the authentication method, or will support it in the future.
Google notes that Android users can also use their device’s passkey feature on their desktop, laptop, and tablet; this requires scanning QR codes, which programs display that support the authentication feature.
A password on a phone can also be used to log in on a nearby device. For example, an Android user can now log in to a passkey website using Safari on a Mac. Similarly, password support in Chrome means that a Chrome user, for example on Windows, can do the same using a password stored on their iOS device.
