I’m trying to understand passkeys. I did a test today trying to create and use a passkey on a demo site. I tested trying to log in on an Android phone (Pixel Pro 6), an Android tablet (Samsung Galaxy Tab S8+), a Windows 10 desktop, and a Chromebook. Here’s what I learned.
In summary: passkeys seem to work well for login and are shared across Android devices. Passkeys are stored alongside old fashioned passwords in a product Google calls “Google Password Manager”. If synced any Android device can be used as an authenticator for any passkey you’ve added. However Chrome cannot act as an authenticator on Windows or ChromeOS; they delegate to a nearby Android device. Important features for managing passkeys do not exist yet.
These notes are all for today, May 19. Most of my devices are pretty well updated: Chrome 113.0.5672.94, Android 13 on the phone and tablet, ChromeOS Beta 114.0.5735.31 on the Chromebook. The desktop is Windows 10 Pro 22H2. I have not set up Windows Hello on it.
(I didn’t test on any Apple systems. My understanding is Apple Keychain works pretty well and is synced across all devices via iCloud.)
I created a new account and passkey at passkeys.io on my phone. That took a one-time setup of Google Password Manager on my phone to tell it to store passkeys there and let me unlock them with my phone biometrics. Then the new passkey was created and stored.
Chrome on Android Phone: I could log in and out of the demo site very easily in the Chrome browser. Chrome prompts me once to verify I want to log in with a passkey, then a second prompt for my thumbprint, then I’m logged in. I wouldn’t mind if they whittled that down to a single prompt.
Firefox on Android phone: worked identically to Chrome with no extra setup.
Chrome on Android Tablet: after initial setup it was the same login experience as phone. The tablet also lets me use a PIN instead of a thumbprint. The important thing here is I never did anything to get my passkey on to my Android tablet. That happened transparently, behind the scenes. Apparently Google is syncing passkeys between secure Android devices via the Internet (or possibly Bluetooth). The passkey is definitely coming from the tablet itself, my phone is not involved.
Chrome on Chromebook: different experience. Logging in pops up a “use your passkey” dialog with a list of devices that have my passkeys. I chose my phone and a notification popped up on my phone asking me to approve and use my thumbprint to log in. That all just worked in 4 clicks/taps in total. Behind the scenes I believe this uses Bluetooth. The passkey is not on my Chromebook, it requires a different device to be the authenticator.
Chrome on Windows: similar experience as Chromebook once Bluetooth was set up on Windows. I’m prompted with a list of authenticator options, delegating to my phone worked like the Chromebook. There’s also an option for “Windows Hello or external security key” as an authenticator which popups up a Windows dialog for what I imagine is Windows’ passkey authenticator. Before I added Bluetooth to the Windows box that popup appeared immediately, it was my only choice. I didn’t pursue the Windows stuff, but I imagine that’d be the way to get passkeys on the Windows device itself (or a Yubikey) and not rely on a phone. It’d be nice if Chrome didn’t ask me every time which Android device I wanted to use.
Firefox on Windows: goes straight to the Windows dialog, even with Bluetooth available. No choice of authenticators. It doesn’t seem aware it could delegate to my Android phone.
Edge on Windows: two options, “Windows Hello or external security key” or else “Use a different phone or tablet”. That second option popped up a
FIDO: QR Code that introduced Edge to my phone as an authenticator. Then the phone did the passkey thing via Bluetooth. Second time around I had a third authenticator option, my phone, which worked just like Chrome and Firefox on Windows. I don’t know if some of this interaction was specific to
Summary: Android devices are storing passkeys and syncing them between themselves. Windows and Chromebook are not storing passkeys but can delegate via Bluetooth to a nearby Android device.
Logins work pretty well in the Google ecosystem, what about managing passkeys? The story isn’t as great although Android at least can give you a list of passkeys.
Google’s passkey authenticator product is called Google Password Manager (GPM). This is the same thing that stores plaintext passwords for websites you log in to. It manages passkeys too. I never set it up before because I use 1Password instead.
Android: GPM is part of Google Play Services, a sort of adjunct to the Android OS. Launching GPM on Android is not easy. It’s hidden in Settings and I could only find it via a search, and in a different place on the Samsung tablet than the Pixel phone. Once in the Password Manager there’s a button “Add shortcut” which will give you an icon you can tap to open it. Opening that I see a list of my passkeys and passwords.
Chrome on Windows: GPM is in Chrome settings at chrome://settings/passwords. However it only has a list of my passwords, there are no passkeys there. Not too surprising since the passkeys aren’t actually on my Windows machine.
Chrome on Chromebox: same as Windows; no way to list your passkeys that I can find.
Google Passwords webapp: GPM has a webapp version of its product. It only lists my passwords, not my passkeys. This seems like a fairly serious omission to me. I don’t know any way on the web to find the passkeys that Android is syncing for me.
Google Accounts: Google has a webapp for the passkeys I can use to log in to Google itself. It tells me that two were automatically created for me, one on each of my Android devices. That’s a relatively new thing but is an extension of a passkey-like authentication that Google/Android has been doing for awhile.
Summary: GPM on Android is the only working passkey management tool. It’s pretty limited. You can list your passkeys and delete them. There’s no option to export them, or back them up outside Google’s ecosystem, or share them with someone else. Some of that stuff is supposedly coming but I have a suspicion Google is in no hurry to implement something that’d let you migrate out of their product.