A password is a fixed string of characters that you have memorized or saved in a password manager. When logging on, a web page expects exactly this password each time the user name is entered.

A passkey, on the other hand, can be viewed as a password key. On the one hand there is the user, and on the other hand there is a website or app that knows this user. When this user logged in for the first time, a key pair was generated that is only valid for this account. A public key was stored in the website or app, while the private key is stored in a device such as a cell phone or a FIDO2 USB stick. With each login, the connected device generates a new one-time password that was encrypted by the private key and can only be decrypted with the key half in the web page or app.

This login password is generated either by biometric login (fingerprint, face recognition, iris scanner) or by entering a PIN or a swipe pattern. The device then transfers the one-time password to the receiving party (app or website) where it is checked using the public key. If the result is correct, access is granted.

So, the main difference between a password and the passkey method is that a password is immutable until it is exchanged on both sides, while passkey works with new, encrypted, one-time codes. Also, the username and password combination can be used by anyone, while Passkey is tied to one person.
If you want to use the passkey technology, you need your mobile phone with a camera and fingerprint sensor. Alternatively, you can take a FIDO2 USB stick that contains a finderprint scanner or transmits the necessary security ID via Bluetooth or NFC.

• The main advantage of the Passkey method is that the user no longer has to remember a password and therefore does not write it down or choose something so simple that it is easy to crack.
• There is also no risk of a user using the same password for different sites or apps.
• In addition, it is of no use to an attacker to intercept the authentication code as it is used, because a new code will be used next time.
• For the same reason, passkeys are immune to phishing as there is no longer a fixed password to intercept.
• Furthermore, no passwords are stored in web pages that an attacker could capture in a hack. And the combination of the two
• Passkeys is always tied to the webpage and doesn’t work anywhere else.

Of course, as with any security procedure, there are always concerns and downsides:

• Experts are already warning that the current encryption method is weak and could be cracked by quantum computers in the near future.
• If there are problems with biometric identification, you no longer have access to your apps and websites.
• There will still be users who, for various reasons, do not want to or cannot use the procedure. This leads to a two-pronged login process, which in turn poses a security risk.
• There will continue to be websites that cannot or do not want to keep up with the new technology, and for which the old method must continue to be used.
  Account sharing will no longer be possible. If, for example, access to Netflix or Amazon is shared with the partner, only one of them can log in with the passkey.
• What happens if the identification device (or rather, smartphone) is lost or stolen? In this case, some problems arise. Although the key pairs can be backed up and restored in the cloud, you may need a security key for it. These must be generated in advance.
• If criminals or security authorities want to force you to open accounts and accesses, with Passkey it is enough to hold the device in front of your face or take your finger.

Google has been offering the option of using your smartphone’s built-in security key for some time.

To set up the built-in security key, you need an Android smartphone running Android 7.0 or higher.

When you sign up on new devices and your smartphone is compatible, Google will automatically try to provide additional protection through the built-in security key. Important: Each account can have only one built-in security key. If you have several compatible smartphones, you must select one. However, you can switch to another compatible smartphone at any time.

To do this, proceed as follows:

• Activate two-factor authentication and select a second confirmation step. If you are already using two-factor authentication, continue to the next step.
• Open the website myaccount.google.com/security on your Android smartphone.
• Under “Sign in to Google” select “Two-factor authentication” You may need to sign in first.
• Scroll to the Security Keys section and tap the right arrow.
• Select “Add Security Key” which is located on the bottom left.
• Select your Android smartphone and tap “Add“. You should see a confirmation that your smartphone has been successfully added as a security key.

If you want to set up your smartphone as a security key, you need an iPhone with iOS 10 or higher. Learn how to update your iOS version here. When you sign up on new devices and your phone is compatible, Google will automatically try to provide additional protection using the built-in security key.
Important: There can only be one built-in security key per account. If you have more than one compatible smartphone, you must choose one. You can switch to another compatible smartphone at any time.