How to use Google passkeys for stronger security on Android

Still signing into your Google account by tapping out an actual password? That’s, like, so 2022.

Now, don’t get me wrong: The tried-and-true password is perfectly fine, especially if you’re using it in conjunction with two-factor authentication. But particularly for something as important as your Google account, you want to have the most effective security imaginable to keep all your personal and/or company info safe.

And starting this week, you’ve got a much better way to go about that.

So here it is: Google just announced the first official availability of something called passkeys as a way to sign into Google services. In the simplest possible terms, using a passkey means anytime you’d traditionally be prompted to put in your Google account password, you’ll instead be able to securely authenticate yourself via your phone’s face identification system or fingerprint scanner.

[Get fresh Googley advice and insight in your inbox every Friday with my Android Intelligence newsletter. Three new things to try every Friday!]

Why’s that so much better, you might be wondering? Well, I’ll tell ya:

That last part is important, as it basically combines the idea of two-factor authentication with a regular password into a single tough-to-circumvent system. In order for someone to hack into your account with a passkey in place, they’d have to have your physical phone in their hands, have you unlock it with your face or fingerprint (provided you’re using biometric authentication), and then have you use your greasy mug or fingie once more to sign into the account itself.

The problem with passkeys is that up until now, they’d mostly been a theoretical thing. Until a large number of apps, sites, and services support ’em, they really don’t mean much.

But now, the biggest gorilla of ’em all is on board. And that means it’s time for you to take notice.

All right — ready to upgrade your Google account security with an Android-based passkey?

It’ll take you about 10 seconds to do:

Aaaaand, that’s it! (Told ya it was easy, didn’t I?!) On Android, Google automatically creates a passkey for you as soon as you sign into your Google account. So all you’ve gotta do is activate it and opt in, like you just did, and boom: You’re in business.

The one caveat is that if you’re using a company-connected Google Workspace account, your organization’s administrator will have to first enable the option for passkeys to be permitted — and Google hasn’t made that setting available quite yet (though the company says it’ll be there “soon”). So stay tuned and stand by, if you’re in that situation.

Once you get things going, though, the bits and bytes that make your passkey work will be stored securely on your actual Android phone and never shared with anyone, including Google itself. Even when you authenticate, the passkey just gets unlocked locally and then your phone confirms to Google that you’re good to go. Because of that, there’s no possible way to share the info or inadvertently grant access to a scoundrel, miscreant, or garden-variety rapscallion — which means phishing and breaches are no longer a worry.

Last but not least, the really cool part: This doesn’t just affect sign-ins on your phone. It also works for when you’re signing into your Google account on other devices.

With your passkey set up and active, the next time you try to sign into your Google account on any phone, tablet, computer, or internet-connected camel, you’ll see a prompt asking you to use your passkey on your phone to prove it’s you. Clicking through will cause a notification to pop up on your phone, and when you tap it, the phone will prompt you for your biometric authentication and then connect to the other device to confirm that you’re approved.

You won’t even be asked for two-factor authentication, as you’ve ultimately already provided it.

Simple, secure, and safe from shady shenanigans. What more could you ask for?!

Ready to complete your Android Intelligence upgrade? Come check out my free weekly newsletter to get all sorts of invaluable experience-enhancing info in your inbox each week, straight from me to you.

http://www.computerworld.com/category/security/index.rss

Leave a Reply