The problem with Passkeys

Android figures
(Image credit: Jerry Hildenbrand / Android Central)

Google and other companies have been working with the FIDO Alliance to change how online security works using a concept they are calling the Passkey. It's a great idea with a few flaws that mean it's not really something Google should be pushing out to everyone.

Passkeys work using two critical elements: Special hardware already inside most of the best Android phones and cryptography software that meets all the specifications to make it what's called a FIDO credential.

When you set up your phone, a unique key will be created and stored in your phone's secure enclave. This identifier will be used with the FIDO standards to create a set of credentials that can be passed along to any device that's in communication with your phone, or any software that's running on that device, like the web browser or an app.

After everything is set up, all you need to do is unlock your phone to provide these secure credentials.

Setting up a USB Security Key

(Image credit: Google)

You're not supplying any information that can be used to identify you but every set of credentials is still unique. The only online component is a backup key stored in the cloud to help you recover your accounts. 

In simple terms, this means that your phone will store a key. When you want to access an online account that works with passkeys, you unlock your phone and the key proves that you are really you. 

I like this future where passwords and usernames don't really exist. Not as much as Apple and Google who know that you almost have to have a compliant phone to use it and there are only two real choices there — iOS and Android — but I think it's a step in the right direction.

Having said that, I don't recommend you jump in a turn it on as soon as you see a prompt or get an email from Google. It's just not completely ready.

Passkey generation

(Image credit: Google)

The onboarding process itself is a bit half-baked. Some of my colleagues here at Android Central have semi-successfully waded through it and after fiddling with a QR code displayed on a phone and asked to scan it with the same phone, URLs that are broken and don't actually do anything when you tap on them, and being told that the USB security key needed to be inserted even though one was never set up we all came to the same conclusion — this is not ready for prime time.

That doesn't mean it can't be or won't be ready in the future. We've seen this from Google before — rush a feature out the door that still needs plenty of polish before you give it to billions of users — and we've seen Google quickly turn it around and make it work as intended. It means right now, setting up your account with a Passkey might be a really poor experience.

That's not the real problem though, at least in my opinion. My issue is that it's tied to a physical device you must have on hand if you want to use an online service.

That device doesn't have to be a phone. You can also use a physical security key, a wearable, or anything with the correct hardware and software support to act as an authenticator. And that works well — I use a FIDO-compliant USB Key as a two-factor authentication method to access my accounts. I also know that I have an easy backup solution for the times when I don't have my key like today when I'm not at home in my own office. Google Authenticator or even SMS can be a lifesaver.

Google FIDO authentication

(Image credit: Google)

Most people are going to use their phone as a passkey, though. You already have it, you spent a lot of money on it, and the company you bought it from told you how secure everything about it is. Besides, Google makes it easy to use your phone because it wants you to be even more reliant on your phone. 

Ask yourself, though, might you ever lose your phone? That's where things aren't as easy.

Theoretically, all you need to do to reenable your secure key is sign into your Google account with a new phone. Even the "passwordless future" will still need a password I guess. While I haven't been able to test this, I will say it probably works as intended because it's the least complex part of the system — keep a backup of the important, but useless on its own, part in the cloud to retrieve if you ever need it.

Hopefully, you aren't locked out of your Google account and can remember the actual password you were told you no longer need, and you have a way to get an SMS from Google or sign in to an authenticator app. All without your phone in your hands. Lord help you if your phone was stolen and someone hosed your account by trying to get into it too many times. 

These are real issues that we hear about every day. It's already horrible to not be able to help someone get back into their account where years of photos are stored. Having their logins for things from Netflix to their bank inaccessible while everything gets sorted out is a nightmare.

Soon enough we'll all be using passkeys because we will have no choice. Before that happens I sure hope someone is thinking about making the system more user-friendly.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • java007
    And definitely don't jump onboard yet if you are using a linux desktop. Found out the hard way, but was able to recover and turn off the passkey requirement.