A single passkey identifies a particular user account on some online service. A user has different passkeys for different services. The user’s operating systems, or software similar to today’s password managers, provide user-friendly management of passkeys.
This passwordless future that the industry is pushing places a strong emphasis on your phone and identity/sync account from Apple (ID), Google, or Microsoft. It relies on biometrics (fingerprint or face) or passcode unlock to authenticate you and sign you in. Meanwhile, that account will be used if you set up a new device or ever lose your existing one.
The main ingredient of a passkey is a cryptographic private key. In most cases, this private key lives only on the user’s own devices, such as laptops or mobile phones. When a passkey is created, only its corresponding public key is stored by the online service. During login, the service uses the public key to verify a signature from the private key. This can only come from one of the user’s devices.
On Android, passkeys will be backed up and synced to the Google Password Manager, which the company has been making more prominent as of late. Passkeys can exist on more than one device (phone + tablet, old + new phone, etc.) as the “same private key can exist on multiple devices.”
In terms of protection, “passkey private keys are encrypted at rest on the user’s devices, with a hardware-protected encryption key.” Passkeys are also end-to-end encrypted with the Google Password Manager.
When a passkey is backed up, its private key is uploaded only in its encrypted form using an encryption key that is only accessible on the user’s own devices. This protects passkeys against Google itself, or e.g. a malicious attacker inside Google. Without access to the private key, such an attacker cannot use the passkey to sign in to its corresponding online account.
Google today explained the recovery process, as well as the experience of setting up a new phone with passkeys. Basically, end-to-end encryption keys on your old phone are transferred to the new one as part of the normal device migration process. You must know that old device’s “lock screen PIN, password, or pattern of another existing device that had access to those keys,” and be signed in to the same Google Account.
Screen lock PINs, passwords or patterns themselves are not known to Google. The data that allows Google to verify correct input of a device’s screen lock is stored on Google’s servers in secure hardware enclaves and cannot be read by Google or any other entity. The secure hardware also enforces the limits on maximum guesses, which cannot exceed 10 attempts, even by an internal attack. This protects the screen lock information, even from Google.
FTC: We use income earning auto affiliate links. More.