Breakthrough for passkeys? Google synchronizes keys automatically
Google now automatically transfers passkeys between Android, Windows and macOS in the background. The only requirement is Chrome.
(Image: iX)
Anyone who creates a passkey on Android will in future be able to use it automatically with their Windows or macOS computer – provided that Chrome is also used as a web browser along with the built-in Google Password Manager (GPM). Without any official announcement, Google has introduced this function, which promises to make life with passwordless and secure authentication much easier for many regular users.
The (small) hurdles with Passkeys
Passkeys is an extension of the FIDO2 standard that is designed to make it easy to use. With this manufacturer-independent technology, users – no longer have to remember a user name and password, unlike the previously common – login. Instead, they authenticate themselves using a token, a smartphone or a PC or Mac with a security module. The whole thing works using asymmetric encryption with a private crypto key as a secret, which should always remain in the user's possession and is not transmitted to the web service when logging in. To log in, the service –, for example Gmail –, sends a task (challenge) to the device, which then sends the generated signature back to the service.
However, if users want to use their passkeys on multiple devices, they have to synchronize the keys – via the cloud, for example. Until now, the most convenient way to do this was via password managers, which had to be set up separately. Alternatively, users could use their smartphone as an authenticator, but had to scan a QR code and have Bluetooth activated on both devices. With this method, all passkeys remain locally on the smartphone.
Revolution due to the user base
Accordingly, observers such as Corbado are hoping that Google's move will be nothing less than a "passkey revolution" –, primarily due to the dominance of Android and Google Chrome. If users have already generated a passkey on their smartphone when prompted and use it, it is automatically available to them on their PC or Mac without any further action. As passwordless login is subsequently simpler and faster, it should now catch on even faster – - at least that is the expectation.
However, there are several restrictions: Firstly, automatic synchronization only works if the key is generated on an Android device. Google does not (yet) provide for the path from Windows or macOS to the other systems. Furthermore, iOS is completely missing; passkeys generated on Android cannot be synchronized with the iPhone via Google's Password Manager. And, of course, there is no support for Firefox or Safari.
A look at the technology shows how Google transfers the passkeys. This is not done directly between the devices, but via Google's servers. However, to prevent Google or attackers from gaining possession of the private keys, the synchronization service wraps them and stores them temporarily in the server's memory. An appropriate security module is required on the PC or Mac to unpack them again on the receiving end. A brief technical description of the service can be found here. Google also plans to publish the source code of the software in the future.
Similar plans at Apple
Apple users who can synchronize their passkeys between iPhones, iPads and Macs via iCloud Keychain have had a similarly convenient experience to date. Support outside of Apple's own platforms is still lacking –, but this could soon change with the new Passwords app in iOS 18, as it will also be released for Windows at least. Microsoft has so far kept a low profile regarding its plans to synchronize passkeys.
Google only announced its switch to Passkeys in mid-2023, but Gmail got serious just a few months later and asked users to set up passwordless authentication by default. Overall, the use of passkeys has increased significantly in recent years, particularly in the e-commerce sector and for Adobe tools and GitHub.
(fo)