The problem with Passkeys

Android figures
(Image credit: Jerry Hildenbrand / Android Central)

Google and other companies have been working with the FIDO Alliance to change how online security works using a concept they are calling the Passkey. It's a great idea with a few flaws that mean it's not really something Google should be pushing out to everyone.

Passkeys work using two critical elements: Special hardware already inside most of the best Android phones and cryptography software that meets all the specifications to make it what's called a FIDO credential.

When you set up your phone, a unique key will be created and stored in your phone's secure enclave. This identifier will be used with the FIDO standards to create a set of credentials that can be passed along to any device that's in communication with your phone, or any software that's running on that device, like the web browser or an app.

After everything is set up, all you need to do is unlock your phone to provide these secure credentials.

Setting up a USB Security Key

(Image credit: Google)

You're not supplying any information that can be used to identify you but every set of credentials is still unique. The only online component is a backup key stored in the cloud to help you recover your accounts. 

In simple terms, this means that your phone will store a key. When you want to access an online account that works with passkeys, you unlock your phone and the key proves that you are really you. 

I like this future where passwords and usernames don't really exist. Not as much as Apple and Google who know that you almost have to have a compliant phone to use it and there are only two real choices there — iOS and Android — but I think it's a step in the right direction.

Having said that, I don't recommend you jump in a turn it on as soon as you see a prompt or get an email from Google. It's just not completely ready.

Passkey generation

(Image credit: Google)

The onboarding process itself is a bit half-baked. Some of my colleagues here at Android Central have semi-successfully waded through it and after fiddling with a QR code displayed on a phone and asked to scan it with the same phone, URLs that are broken and don't actually do anything when you tap on them, and being told that the USB security key needed to be inserted even though one was never set up we all came to the same conclusion — this is not ready for prime time.

That doesn't mean it can't be or won't be ready in the future. We've seen this from Google before — rush a feature out the door that still needs plenty of polish before you give it to billions of users — and we've seen Google quickly turn it around and make it work as intended. It means right now, setting up your account with a Passkey might be a really poor experience.

That's not the real problem though, at least in my opinion. My issue is that it's tied to a physical device you must have on hand if you want to use an online service.

That device doesn't have to be a phone. You can also use a physical security key, a wearable, or anything with the correct hardware and software support to act as an authenticator. And that works well — I use a FIDO-compliant USB Key as a two-factor authentication method to access my accounts. I also know that I have an easy backup solution for the times when I don't have my key like today when I'm not at home in my own office. Google Authenticator or even SMS can be a lifesaver.

Google FIDO authentication

(Image credit: Google)

Most people are going to use their phone as a passkey, though. You already have it, you spent a lot of money on it, and the company you bought it from told you how secure everything about it is. Besides, Google makes it easy to use your phone because it wants you to be even more reliant on your phone. 

Ask yourself, though, might you ever lose your phone? That's where things aren't as easy.

Theoretically, all you need to do to reenable your secure key is sign into your Google account with a new phone. Even the "passwordless future" will still need a password I guess. While I haven't been able to test this, I will say it probably works as intended because it's the least complex part of the system — keep a backup of the important, but useless on its own, part in the cloud to retrieve if you ever need it.

Hopefully, you aren't locked out of your Google account and can remember the actual password you were told you no longer need, and you have a way to get an SMS from Google or sign in to an authenticator app. All without your phone in your hands. Lord help you if your phone was stolen and someone hosed your account by trying to get into it too many times. 


These are real issues that we hear about every day. It's already horrible to not be able to help someone get back into their account where years of photos are stored. Having their logins for things from Netflix to their bank inaccessible while everything gets sorted out is a nightmare.

Soon enough we'll all be using passkeys because we will have no choice. Before that happens I sure hope someone is thinking about making the system more user-friendly.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Threads.

Read more
Two-Factor Authentication
Google is trying, but authentication is still terrible
An up-close look at the new in-display ultrasonic fingerprint sensor on the Google Pixel 9 Pro XL
How to enable Identity Check on a Pixel phone
Applying a tempered glass screen protector to a OnePlus 13
I want to like ultrasonic fingerprint sensors, but they just don't work for me
Sundar Pichai at Google I/O 2024 describing Google Gemini AI
Smartphones have reached their peak, so what could possibly be next?
Gmail in light mode on Pixel 6 Pro
Google says it wants you to sign into Gmail with QR codes, not SMS
The Google Pixel Watch 3, Samsung Galaxy Watch Ultra, Ray-Ban Meta smart glasses, and Meta Quest 3 sitting on a table together.
Android XR needs to copy Android smartwatches to survive
Latest in Phones
Galaxy A36 5G lifestyle ad
The Galaxy A36 5G was just announced, but you can ALREADY score $150 off at Samsung — here's how
The Light Phone III in lifestyle photos.
The Light Phone 3 is here with miniature features, massive $799 price tag
The Galaxy S24 Plus in hand with a light behind it
Samsung's sixth One UI 7 beta for the Galaxy S24 rolls out as launch nears
POCO F7 Ultra back view on blue background with yellow colors next to it
POCO F7 Ultra review: The best bargain of 2025
The Samsung Galaxy S25 Edge on display
New leak shows off Samsung Galaxy S25 Edge in 'Titanium' variants
The back of the Obsidian Google Pixel 9 Pro
Some Pixel owners had a delayed start, thanks to alarm clock failures
Latest in Feature
A Qualcomm Snapdragon 8 Elite placard at a press event
Qualcomm's 'Elite' branding should stay exclusive to Oryon-based chips
Comparing the display size on the Samsung Galaxy S25 with the Samsung Galaxy S25 Plus
What you need to know about One UI 7: Software is hard
A Meta Quest 3 and Meta Quest 3S alongside a candle, can of paintbrushes, and five markers
At-home date nights are better in VR (no, seriously)
The Moto 360 smartwatch worn on a wrist, showing an analog watch face.
Wear OS is still missing a major player, and now's the perfect time for a comeback
AirPods Max (left) hanging from a park bench beside Beats Studio Pro (right).
USB-C AirPods Max are getting an upgrade Android headphones had all along
Android statues
Ask Jerry: What happens if Google ignores the EU's DMA rules?
  • java007
    And definitely don't jump onboard yet if you are using a linux desktop. Found out the hard way, but was able to recover and turn off the passkey requirement.
    Reply