Introduction
Passkeys are a safer and easier alternative to passwords. With passkeys, users can sign in to apps and websites with a biometric sensor (such as a fingerprint or facial recognition), PIN, or pattern, freeing them from having to remember and manage passwords.
Developers and users both hate passwords: they give a poor user experience, they add conversion friction, and they create security liability for both users and developers. Google Password Manager in Android and Chrome reduces the friction through autofill; for developers looking for even further improvements in conversion and security, passkeys and identity federation are the industry's modern approaches.
Passkeys deliver robust protection against phishing attacks and can eliminate the need to prompt for SMS or app-based one-time passcodes at sign-in. Since passkeys are standardized, a single implementation enables a passwordless experience across all of a users' devices, across different browsers and operating systems.
Passkeys are easier
Users can select an account to sign in with. Typing the username is not required.
Users can authenticate using device's screen lock such as a fingerprint sensor, facial recognition or PIN.
Once a passkey is created and registered, the user can seamlessly switch to a new device and immediately use it without needing to re-enroll (unlike traditional biometric auth, which requires setup on each device).
Passkeys are safer
Passkeys protect users from phishing attacks. Passkeys work only on their registered websites and apps; a user cannot be tricked into authenticating on a deceptive site because the browser or OS handles verification.
Developers only save a public key to the server instead of a password, meaning there's far less value for a bad actor to hack into servers, and far less cleanup to do in the event of a breach.
Passkeys reduce costs by avoiding the need to send SMS, making them a safer and more cost-effective means for authentication.
What are passkeys?
A passkey is a digital credential, tied to a user account and a website or application. Passkeys allow users to authenticate without having to enter a username or password, or provide any additional authentication factor. This technology aims to replace legacy authentication mechanisms such as passwords.
When a user wants to sign in to a service that uses passkeys, their browser or operating system will help them select and use the right passkey. The experience is similar to how saved passwords work today. To make sure only the rightful owner can use a passkey, the system will ask them to unlock their device. This may be performed with a biometric sensor (such as a fingerprint or facial recognition), PIN, or pattern.
Try it yourself
How do passkeys work?
Passkeys are securely encrypted on-device before being synced, and requires decrypting them on new devices. Passkeys can be stored in password managers like Google Password Manager, which synchronizes passkeys between the user's Android devices and Chrome browsers that are signed into the same Google account. Users with Android 14 or later can also opt to store their passkeys in a compatible third-party password manager.
Users aren't restricted to using the passkeys only on the device where they're available—passkeys available on phones can be used when logging into a laptop, even if the passkey isn't synchronized to the laptop, as long as the phone is near the laptop and the user approves the sign-in on the phone. As passkeys are built on FIDO standards, all browsers can adopt them.
Privacy benefits
Important: Passkeys have been designed with user privacy in mind. Several concerns that end users may raise appear below; to reassure your users, developers should add a reassuring message to the UI (e.g. "With passkeys, the user's biometric information is never revealed to the website or the app. Biometric material never leaves the user's personal device") and create an FAQ or support article explaining more.
Because signing in with biometric might give users a false impression that this is sending sensitive information to the server. In reality, biometric material never leaves the user's personal device.
Passkeys on their own don't allow tracking users or devices between sites. The same passkey is never used with more than one site. Passkey protocols are carefully designed so that no information shared with sites can be used as a tracking vector.
Security Benefits
Because passkeys are bound to a website or app's identity, they're resistant to phishing attacks. The browser and operating system ensure that a passkey can only be used with the website or app that created them. This frees users from being responsible for signing in to the genuine website or app.
Implementing Passkeys
Ready to get started? You can implement passkeys on Android, Web, and iOS using our implementation guides below.