Martin Shelton

Principal Researcher

Last updated

One of the most common ways people get hacked is through phishing — when an attacker impersonates a trusted website to trick you into entering your credentials. But what if you never had to type in a password? Passwordless logins — known as passkeys — reduce your risk by enabling you to log in using credentials on your device, such as your phone or computer. Because a passkey will only work on the appropriate service, this approach is highly resistant to phishing attacks.

In this guide we’ll talk through how to set up passkeys to boost the security of your online accounts.

What’s a passkey anyway?

Think of a passkey as a credential you store on your trusted device. Instead of proving your identity to an online service by typing in a password, passkeys prove your identity by showing you have access to a device — such as your phone — registered with your online account.

The technology behind passkeys is being developed by a major industry association.

There are a few types of devices that you can use to store your passkey:

  • On your phone, using on-screen prompts and biometric face or fingerprint scanning
  • On your desktop computer, with biometric face or fingerprint scanning
  • On a compliant security key (e.g., see this list from Yubico)

While different devices and services will vary on how exactly to set it up, to show you what you can generally expect let’s walk through enabling passkeys on your Google account.

Setting up passkeys

You don’t have to stop using passwords if you don’t want to. But where available, passkeys are a more secure option to avoid typing in a password to a website.

Passkeys do not yet work on all major operating systems and browsers, so check this table before getting started to see if you can use passkeys on your preferred hardware and software.

First, in a supported desktop browser navigate to and log into your Google account as normal. You will be presented with a screen for the passkey registration menu in your Google account settings.

Note that if you use Android and have previously tied this account to your device, you may already have “Automatically created passkeys” enabled, which will allow you to receive login prompts on your mobile device.

Press the “Create a passkey” button at the bottom of the screen.

To add a passkey using your current device press “Continue” and then press “Continue” a second time. You may receive a pop-up asking you to confirm by entering your password, or a fingerprint or face scan if you have enabled them previously.

Once enabled, you will be able to log in using the passkey you registered on this device.

After you have one passkey, you can add passkeys to additional devices by registering them in close proximity to your first device. You’ll need to enable the Bluetooth connection from your device’s settings, as the devices use a combination of a secure web connection and Bluetooth.

To create a new passkey on another device go to “Create a passkey” then “Choose another device” and choose the one you’d like to use. This might be a phone, tablet or a security key.

Mobile users: When prompted, scan the QR code that appears on the screen. On your mobile device, click “Allow” > “Continue” > Choose your authentication method. If not yet enabled, on iOS or iPadOS you may be prompted to turn on iCloud Keychain.
Security key users: When prompted, plug the security key into your USB port and tap its button to activate the device.

It may not work the first time. If you run into any trouble, ensure your device is up to date and attempt to register again. From now on, you’ll be able to log in without a password using the registered device.

Limitations of passkeys

Just in case you ever lose access to a device with your passkey, you should make sure to register more than one.

Passkeys are only as safe as the device on which you store them. Someone with your unlocked device could potentially sign into your accounts using your on-device prompts. Likewise, if you leave a passkey on someone else’s device, they may be able to log in as you. It’s therefore important to only use passkeys on devices you control, and ensure your device is properly encrypted and protected with a strong password.

Modern iOS and Android devices should have disk encryption enabled by default. You may need to enable disk encryption on desktop devices using Bitlocker for Windows or FileVault for macOS. Learn more about how to set up a strong password for your mobile device in our guide, “Your smartphone and you: A handbook to modern mobile maintenance.”

Passkeys aren’t yet supported on all major browsers or online services, but we expect to see passkeys rolling out on a growing number of services in years to come. Until then, it’s important to maintain long, unique passwords, ideally using a password manager. Read our guide on choosing a password manager.

If you run into any trouble, journalists in need of support should reach out to our digital security training team.

Donate to support press freedom

Your support is more important than ever.