May 4, 2023 3:00 AM PT
Android Intelligence Advice

How to use Google passkeys for stronger security on Android

Time to upgrade your Google account security and leave the threat of phishing in the past.

JR Raphael/Google/OpenClipart-Vectors

Still signing into your Google account by tapping out an actual password? That's, like, so 2022.

Now, don't get me wrong: The tried-and-true password is perfectly fine, especially if you're using it in conjunction with two-factor authentication. But particularly for something as important as your Google account, you want to have the most effective security imaginable to keep all your personal and/or company info safe.

And starting this week, you've got a much better way to go about that.

Go, go, Google passkeys

So here it is: Google just announced the first official availability of something called passkeys as a way to sign into Google services. In the simplest possible terms, using a passkey means anytime you'd traditionally be prompted to put in your Google account password, you'll instead be able to securely authenticate yourself via your phone's face identification system or fingerprint scanner.

[Get fresh Googley advice and insight in your inbox every Friday with my Android Intelligence newsletter. Three new things to try every Friday!]

Why's that so much better, you might be wondering? Well, I'll tell ya:

  • First, it takes the responsibility off of you to create a truly strong and unique password and make sure no one else ever finds it. (And sure, you're clearly an exceptional human who uses an effective Android password manager and has that whole process down to a science. But the vast majority of mammals are far less diligent.)
  • Second, it essentially eliminates the possibility of phishing — that thing when a ne'er-do-well tricks someone into giving up their password and/or other sensitive info. And silly as it may seem, that's something that affects even the savviest tech gurus at an almost shockingly high frequency.
  • Third, it proves that you (a) have your actual Android phone in your possession and (b) already unlocked it, using the secure lock screen setup you've already got in place.

That last part is important, as it basically combines the idea of two-factor authentication with a regular password into a single tough-to-circumvent system. In order for someone to hack into your account with a passkey in place, they'd have to have your physical phone in their hands, have you unlock it with your face or fingerprint (provided you're using biometric authentication), and then have you use your greasy mug or fingie once more to sign into the account itself.

The problem with passkeys is that up until now, they'd mostly been a theoretical thing. Until a large number of apps, sites, and services support 'em, they really don't mean much.

But now, the biggest gorilla of 'em all is on board. And that means it's time for you to take notice.

Getting your Google passkey going on Android

All right — ready to upgrade your Google account security with an Android-based passkey?

It'll take you about 10 seconds to do:

  • Open up g.co/passkeys in whatever browser you prefer on your phone.
  • Type in your Google account password, when prompted — and delight in the fact that you won't have to do that again.
  • Look for the blue "Use passkeys" button in the center of the screen and tap, tap, tappity-tap it.
JR

Aaaaand, that's it! (Told ya it was easy, didn't I?!) On Android, Google automatically creates a passkey for you as soon as you sign into your Google account. So all you've gotta do is activate it and opt in, like you just did, and boom: You're in business.

The one caveat is that if you're using a company-connected Google Workspace account, your organization's administrator will have to first enable the option for passkeys to be permitted — and Google hasn't made that setting available quite yet (though the company says it'll be there "soon"). So stay tuned and stand by, if you're in that situation.

Once you get things going, though, the bits and bytes that make your passkey work will be stored securely on your actual Android phone and never shared with anyone, including Google itself. Even when you authenticate, the passkey just gets unlocked locally and then your phone confirms to Google that you're good to go. Because of that, there's no possible way to share the info or inadvertently grant access to a scoundrel, miscreant, or garden-variety rapscallion — which means phishing and breaches are no longer a worry.

Last but not least, the really cool part: This doesn't just affect sign-ins on your phone. It also works for when you're signing into your Google account on other devices.

With your passkey set up and active, the next time you try to sign into your Google account on any phone, tablet, computer, or internet-connected camel, you'll see a prompt asking you to use your passkey on your phone to prove it's you. Clicking through will cause a notification to pop up on your phone, and when you tap it, the phone will prompt you for your biometric authentication and then connect to the other device to confirm that you're approved.

JR

You won't even be asked for two-factor authentication, as you've ultimately already provided it.

Simple, secure, and safe from shady shenanigans. What more could you ask for?!

Ready to complete your Android Intelligence upgrade? Come check out my free weekly newsletter to get all sorts of invaluable experience-enhancing info in your inbox each week, straight from me to you.