Google Password Manager Can Now Store PassKeys On Android, ChromeOS

Last Updated on October 14, 2022 by Anu Joy

Google has revealed how its passkeys will sync with password manager, along with announcing support for Google Chrome and Android. Passkeys is Google’s answer to replacing passwords which, in the company’s opinion, has become susceptible to misuse and hacks. 

Google said a single passkey will identify a particular user account on some online services, with users having different passkeys for different services. The company added that the user’s operating systems, or software similar to the password managers of today will have a user-friendly way to manage these passkeys. 

The search giant states that it dreams of a future without passwords, and is pushing the industry to adopt its passkeys that places a strong emphasis on phones and identity sync from operating systems like Apple, Google, and Microsoft. Passkeys rely on biometrics, be it fingerprints, or facial recognition and can need a separate passcode to unlock the service you want to sign in. 

“The main ingredient of a passkey is a cryptographic private key. In most cases, this private key lives only on the user’s own devices, such as laptops or mobile phones. When a passkey is created, only its corresponding public key is stored by the online service. During login, the service uses the public key to verify a signature from the private key. This can only come from one of the user’s devices,” Google said in a blog post. 

Google’s passkeys will be backed up and managed by the Google Password Manager on Android. They can also exist on more than one device as the same private key. The passkeys are encrypted when not used in the user’s devices with a hardware-protected encryption key. Even on the Google Password Manager, passkeys are end-to-end encrypted. 

“When a passkey is backed up, its private key is uploaded only in its encrypted form using an encryption key that is only accessible on the user’s own devices. This protects passkeys against Google itself, or e.g. a malicious attacker inside Google. Without access to the private key, such an attacker cannot use the passkey to sign in to its corresponding online account,” the company said.