Preface

This article explores using passkeys as the primary method of logging into websites and apps. Your primary Google Account will be used to store the passkeys (similar to how passwords are already stored in your Google Account). In this article, third-party sites refer to other sites besides Google where passkeys can be used and potentially be stored on your Google account. There are mentions of using Windows Hello (on-device) passkeys but they are not extensively explored.

 

Part A: Understanding Passkeys

What is a passkey?

A passkey is a credential that is used to log in to an app or website. Currently, they are an easier and safer alternative to password login. 

 

How Do Passkeys Work for You?

When you create a passkey, your phone or computer remembers how to prove you are you. The next time you log in, you simply use the device's lockscreen method to sign in (PIN/fingerprint). The website or app then checks your identity securely.

 

Example use cases for passkeys

• Log in to your Google Account on your PC using just your Windows Hello PIN (On-device passkey (Windows Hello).

• Sign in on a laptop by scanning a QR code with your phone (For Mobile-linked passkey)

• Log in to a site (e.g. GitHub) using your device's lockscreen password (Account linked passkey)

 

Why Are Passkeys Better Than Passwords?

• Passkeys cannot be guessed or phished
• They are unique to each account
• You sign in using your device's lockscreen method (instead of remembering passwords)
• The private part (private key) stays on your device (unlike a password that has to be stored on a server and has the posibility of being leaked)

 

Does my passkey replace my password?

Not currently, but eventually it will. Many services still require passwords as a fallback. Where available, always prefer passkeys as they are more secure

 

Types of passkeys:

It must be noted that within passkeys themselves there are multiple ways to log in, and each account provider may use one or the other. The types of passkey login available:

• On-device (Windows Hello)

• Account linked and mobile linked (Google account or Apple iCloud account, QR code scanning using mobile phone)

• Hardware keys (YubiKey)

 

Part B: Securing your Google Account

Before using passkeys on 3rd-party sites, we first need to secure your primary Google account. This will be done by setting up a passkey and 2 factor authentication.

 

1. Passkey setup on your Google Account

Creating a Passkey (Chrome on Linux, Other Chromium browsers on Linux)

1. Navigate to the Manage Google Account section in your account.

2. Navigate to myaccount.google.com → Security → Passkeys and Security Devices

3. Click “Create Passkey”, and a pop-up saying "A passkey can’t be created on this device" shows

4. Click on "Use another device", a pop-up should display either a passkey sign-up using a QR code or a Security Key

5. Turn on Bluetooth on both the laptop and the Android phone

6. Use the Android phone's QR code scanner to scan the QR code

7. Click "Open link" when prompted on the phone

8. Click "Connect account" on the phone

9. That Google account will now be added to that Android phone

10. The passkey is saved to your phone, synced across devices with this account and visible in my Google security settings

(This then means you will be able to log in to your Google account using your phone (since this passkey is saved on your phone))

 

Creating a Passkey (Chromium-based browsers on Windows, aka creating a Windows Hello Passkey)

1. Navigate to the Manage Google Account section in your account.

2. Navigate to myaccount.google.com → Security → Passkeys and Security Devices

3. Click “Create Passkey”

4. Click on "Create" in the pop-up menu

5. Enter your method of login to your device (Facial recognition/Pin/Fingerprint)

6. Your pass key is created

(This then means you will be able to log in using your lockscreen method on your Windows machine (this passkey is saved on the Windows device, and may be used to sign in to your Google Account on other Chromium-based browsers))

 

2. Adding 2 Factor Authentication To Your Google Account

1. Navigate to the Manage Google Account section in your account.

2. Navigate to Security

3. Under "How you sign in to Google", select Turn on 2-Step Verification

3. Choose a second authentication method:

         a. Google Prompt (recommended: tap "Yes" on trusted devices).

         b. Authenticator app (e.g. Google Authenticator)

         c. SMS codes (less secure; avoid if possible)

4. Generate backup codes and store them securely.

 

Part C: Setting Up Passkeys On Other Sites

This section explores setting up a passkey on other sites and saving them to your Google Account. It follows a practical example using github.com

 

A. Creating a passkey on a 3rd party site (GitHub on Chrome)

1. Head over to https://github.com/settings/security

2. Click "Add a passkey"

3. Click "Add passkey" on the next page

4. Select your preferred passkey type

• Google account, will create a passkey on your Google Account (this is synced across your devices with this Google Account)
• Or Windows Hello (if accessing from a Windows laptop), this will create an on-device passkey linked to that particular PC

5. Your passkey is created

 

B. Logging in using a passkey (GitHub on Chrome, use when you are logged in to your Google Account and have created a GitHub passkey)

1. Go to the site https://github.com/login

2. Click on "Continue with passkey"

3. Choose your passkey saved on Google Password Manager, and click "Continue" (If you're having trouble, see scenario 1 in the Overview of Google Password Manager )

4. Enter your Google Password Manager PIN

4. Your login is successful

 

C. Logging in using a passkey (Other browsers)

1. Go to the site https://github.com/login

2. Turn on Bluetooth on both the phone and the laptop

3. Choose the passkey sign-in

4. A pop-up should display either a passkey sign-in using a QR code or a Security Key (If you're having trouble, see scenario 2 in the Overview of Google Password Manager )

5. Use your Android phone to scan the QR code

6. Click "Open link" on the phone

7. Click "Connect devices" on the phone

8. Select the GitHub account from your phone that you want to sign in on your laptop

9. Enter your Android phone's lockscreen method (Fingerprint/Pattern/Pin)

10. Your Chrome browser on your laptop should now be signed in

11. You can choose your preferred one between these for future logins, such that on subsequent logins it defaults to prompting you for your preferred method

 

D. Logging in using a passkey (GitHub mobile app on Android)

1. Download the GitHub mobile app

2. Choose passkey as the login method

3. It will open a login site using Chrome

4. Choose your GitHub passkey

5. Enter your phone's lockscreen method (Fingerprint/Pin)

6. Your sign-in is complete

 

E. Logging in using a passkey using Windows Hello (Supported browsers on Windows)

1. Go to the site https://github.com/login

2. Click on "Sign in with a passkey", a pop-up with available passkey sign-in methods will show

3. On the pop-up, click your Windows Hello passkey (click "Use a different passkey" if it does not show and find it)

4. Enter your lockscreen method (Fingerprint/PIN/Facial recognition)

5. The sign-in is complete

 

Part D: Overview of Google Password Manager

Similar to passwords you can use Google Password Manager to store passkeys. This section looks at the role of Google Password Manager in this process.

 

1. Signing in to other sites using your passkeys saved on Google Password Manager

Scenario 1:

• Assuming you are using a browser,
• Are you signed in to your Google account
• And now want to sign in to a site such as GitHub.

This is how you access your saved passkeys on your Google Account to sign in to other sites:

1. Go to the site e.g. https://github.com/login

2. Choose the passkey sign-in

3. You will be prompted by a pop-up from Google password manager to enter either:

• Enter your mobile phone's lockscreen method: Draw your phone's pattern or enter the password or PIN
• Pin: 6-digit pin
• Letters and numbers: 4 characters or longer

4. You can choose your preferred one between these for future logins, such that on subsequent logins it defaults to prompting you for your preferred method

 

Scenario 2: 

• Assuming you are using a browser
• You are not signed in to your Google account 
• and now want to sign in to an account
• You have access to your mobile phone to scan a QR code

You can use your already saved passkey on your Google Account. Since your passkeys are synced across the devices that have your Google account:

1. Go to the site e.g. https://github.com/login

2. Turn on Bluetooth on both the phone and the laptop

3. Choose the passkey sign-in

4. A pop-up should display either a passkey sign-in using a QR code or a Security Key

5. Use your Android phone to scan the QR code

6. Click "Open link" on the phone

7. Click "Connect devices" on the phone

8. Select the GitHub account from your phone that you want to sign in to on your laptop

9. Enter your Android phone's lockscreen method (Fingerprint/Pattern/Pin)

10. Your Chrome browser on your laptop should now be signed in

11. You can choose your preferred one between these for future logins, such that on subsequent logins it defaults to prompting you for your preferred method

 

2. To change your Google Password Manager PIN on Chrome

1. Head over to chrome://password-manager/settings

2. Look for "Change Google Password Manager Pin"

3. Log in to your Google Account to confirm it is your

4. Enter your new PIN

 

Part E: Summary (Using passkeys on 3rd party sites)

The sign-in mechanism using passkeys is largely the same across sites. Similar to password login, sites have different ways of implementing their login mechanisms (username + password vs email + password) and the wording may be different (See the attached images). Using passkeys largely involves these steps:

1. Create your passkey on your account (Microsoft account, GitHub, etc)

2. Save it to your Google Account, mobile phone, Windows PC or security key

3. Find the passkey login method on your site (It may be in the fine print or not as obvious as the normal password login mechanism)

4. Use saved passkey for subsequent logins

 

Part F: Key observations and limitations

• Sync works seamlessly between devices signed into Google

• QR code login requires Bluetooth (to mitigate vulnerabilities)

• Windows Hello passkeys don’t sync if you lose the device, you lose the passkey (but a new one can be recreated)

• Windows Hello offers the best experience (working on almost any browser), followed by the Google Account passkeys (seamless on Chrome but not so much on other browsers)

 

FAQs

1. How do I access my passkeys in the event I lose all my devices?

Some passkeys are synced across devices for one account (Google Password Manager) and all you need to do is log in to that account (they will be restored). You will lose your on-device passkeys (Windows Hello passkeys) but you can recreate them once you have access to your account.

 

2. How to back it up or have lists of passcodes to bypass in the event of device loss or damage?

Passkeys can not be exported and backed up in the traditional sense. Backup codes can be used to recover your account in the event of device loss.

 

3. How do I access my accounts in the event I lose all my devices and I used passkeys to log in?

In the event you lose all your devices, you would only need to gain access to the Google Account (using your fallback login methods, i.e. Password + 2FA, recovery account or backup codes).