I ignored Google’s passkey prompts for months, but now I feel silly for waiting

I have a 22-character long password that’s a random mix of letters, numbers, and special characters. But entering this password on a brand new device has become a chore. Add a two-factor authentication prompt via an authenticator app or SMS, and the login process can become frustratingly long. This is admittedly only a minor inconvenience in the grand scheme of things, but it’s not elegant at all.

I’m also in the minority — most people don’t use a password manager and reuse the same login information everywhere. Luckily, it turns out that there’s a solution to the friction of maintaining long yet secure passwords: passkeys.

Passkeys eliminate the need to type in your passwords while simultaneously improving the security of your online accounts. This may sound too good to be true, but after accidentally enabling the feature on my Google account, I’m never back to using a password ever again.

In the simplest possible terms, a passkey is meant to act as a complete replacement for passwords, allowing you to log into your account with a digital key saved on your device. This key can be synced across all of your devices, and is typically locked behind your biometrics. With all of us carrying around a smartphone, the transition to passkeys is more realistic than ever.

Now, this kind of surface-level explanation does not fully convey just how useful and secure passkeys really are. That’s exactly why I ignored Google’s prompts to secure my account with a passkey for so many months. I didn’t think passkeys would be more convenient than the password autofill I already have at my disposal.

To truly understand the advantages of passkeys then, it helps to see how a passkey login actually works compared to the traditional password approach. Let’s take a Google account, for example.

With passkeys, the first step remains the same: you enter your account username and hit Next. But instead of prompting for your password, the website will request a passkey instead. In the above screenshot from my desktop, Chrome’s built-in password manager didn’t have a saved passkey so it asked if I would like to use a different device.

Since I know that a passkey for my Google account lives on my Android phone, I selected the first option to log in with an external device. This brings up a QR code that I can then scan using my phone’s camera and accept the login request. And with just a couple more taps and my fingerprint for authentication, I’m in. My computer and phone communicate over Bluetooth to transfer the passkey data; so my phone doesn’t need an internet conection for this process to work.

I don’t need to approve the login with another two-factor authentication prompt because the login process inherently includes multiple security factors. When you authenticate with your fingerprint, face scan, or device PIN to use the passkey stored securely on your phone, you’re combining something you have (the device with the key) with something you are (your biometric) or something you know (your PIN).

Of course, my password manager’s autofill function means that I almost never need to type in my passwords. But I can’t use autofill when setting up a new Android phone or logging into a Chromebook that occasionally asks for my password. Passkeys are perfect here because I can log in from a different device, like my tablet.

On devices I use daily, passkeys are even more convenient because I store them in my password manager. This means I don’t have to reach for my phone if I’m using my computer. My password manager pops up and offers to log me in with the saved passkey — as pictured below, it’s nearly the same process as autofill for a password. The fact that I don’t have to fill in my password plus a six-digit authentication code is another welcome bonus.

Most websites still retain the ability to log in via a password, but in the coming years, you can expect passkeys to become the default. And eventually, we may not even have individual account passwords to worry about as companies drop their usage altogether.

Passkeys are more secure

Passkeys are a big convenience win, but more importantly, they’re a massive step forward in terms of guaranteeing online security. Passkeys are stored securely within an encrypted vault on your device and cannot be stolen by malware. And unlike memorable passwords, an attacker also cannot just guess their way into your account through brute force attempts.

A passkey is cryptographically unique to each domain, meaning you can never accidentally reuse the digital key on a different website or app. Even if a service’s servers were to be compromised or hacked tomorrow, an attacker cannot use your account’s passkey data from that breach to log in elsewhere. In other words, you’re safe from the notorious act of password selling on the dark web.

This domain-specific nature of passkeys is a crucial security feature, especially when talking about phishing. With passwords, attackers can set up fake login pages that look identical to the real ones — with a convincing domain like G0ogle.com. Most people would type their username and password, maybe even the account’s 2FA code, and hand their credentials directly over.

On the other hand, the passkey authentication process is tied to the actual website’s domain. Your device or browser will only offer to use your passkey if you are on the correct, verified site. If you land on a fake site — even one that looks perfectly legitimate to your eyes — your device won’t complete the passkey handshake.

Finally, I’ll stress that passkeys aren’t some untested new technology — the underlying public key authentication scheme has been around for decades. We use the same fundamental cryptographic principles while accessing HTTPS websites and I use it while connecting to my web server over SSH. The only new aspect of passkeys is the seamless communication between your browser or phone and the website you’re trying to log into.

Tech giants like Google, Apple, and Microsoft have been trying to boost passkey adoption for nearly two years now, but early implementations were nothing short of a disaster. For the technology to work as intended, your choice of browser and operating system both need to support it. And if you use a password manager like I do, that needs to be on board too. As an example, Bitwarden added passkey support on desktop months before the feature landed on mobile. And cross-platform passkey sync was only added to Google Password Manager in late 2024.

History aside, however, passkey support has finally matured to the point that I can wholeheartedly recommend it on any and every platform.

As I said earlier, most password managers have now gained support for cross-platform passkey sync, meaning you only need to create a passkey for each account once. Even if you use Google Password Manager, it will sync your passkeys across the Chrome browser on all desktop platforms and Android. In fact, Google has already started creating passkeys for accounts logged into an Android phone. If you go into your Google account’s security settings, you may see your phone already listed as a passkey provider.

Passkey support is now baked into all major operating systems and browsers, so you don’t need any special hardware or software to get started. And while not all websites support it yet, the list is slowly growing. Looking at my inbox, I have received mails to enable passkeys from Cathay Pacific, PlayStation, and PayPal. A full list of passkey-supported websites is maintained at passkeys.directory.

Passkeys can be synced between devices but I’ve found that ecosystem restrictions still apply. For example, passkeys stored in Apple Keychain cannot be transferred to Android. So if you use different platforms, I highly recommend using a password manager like Bitwarden, 1Password, or Proton Pass. All of these will sync your passkeys across your devices, even if you say, switch between a Mac and an Android phone.

Assuming the website supports passkeys, you’ll find the process of enabling it is the same as setting a new password — typically an option within your account’s security settings. Once you accept the prompt, the website hands off the passkey creation process to your browser or operating system.

With Bitwarden installed on my devices, it typically pops up to ask if I’d like to save new passkeys (pictured above). Saved keys are then automatically synced with the rest of my devices. The whole process only takes a few seconds and requires no typing.

Using the passkey for future logins is even simpler – the site will automatically request the passkey associated. Your device will then pop up a prompt asking you to confirm the login using your fingerprint, face, or PIN. You can even use a different device as long as it has a camera and Bluetooth connection. A quick scan or tap, and you’re instantly logged in without a password or separate 2FA code. It genuinely transforms the login from a frustrating multi-step process into a single, quick authentication action.

While the messaging around passkeys so far has been rather disjointed and confusing so far, I’m now convinced that they’re the future of online security. I believe Google, Apple, and Microsoft should improve their marketing efforts to promote this feature because it will save countless people from losing their accounts to credential theft and other common attack vectors.