Who supports passkeys?
Because passkeys are based on FIDO standards, they work on Android and Chrome, along with many other popular ecosystems and browsers such as Microsoft Windows, Microsoft Edge, macOS, iOS and Safari.
See Supported environments to check the support status on Chrome and Android.
Do passkeys work on devices that don't have a screen lock method set up?
It depends on the password manager implementation, whether a credential provider allows for a passkey creation and authentication without a user knowledge factor challenge. Providers can prompt users to set up a PIN or biometric screen lock before creating a passkey.
How can passkeys registered on one platform (such as Android) be used to sign in on other platforms (such as web or iOS)?
A passkey registered on Android, for example, can be used to sign-in on other platforms by connecting the Android phone with another device. To establish a connection between the two devices users need to open the site they are trying to sign in to on a device that doesn't have a passkey registered, scan a QR code, and then confirm the sign-in on the device they had created the passkey on (in this case, the Android device). The passkey never leaves the Android device, so typically apps will suggest creating a new passkey on the other device to facilitate the sign-in the next time. This flow will work in a similar way for other platforms as well.
Can I move synchronized passkeys from one platform provider to another?
Passkeys are saved to the credential provider defined by the platform. Some platforms, like Android, allow users to choose the provider of their choice (a system or third-party password manager) starting in Android 14, which may be able to synchronize passkeys across different platforms. Support for moving passkeys directly from one platform provider to another is not available at this time.
Can a user synchronize their passkeys across non-Google Android devices?
Passkeys are only synced within the device's ecosystem (that is, Android to Android with Google Password Manager by default), but not across the ecosystem.
Android is opening up the platform (starting in Android 14) to allow users to select which credential provider they want to use (such as a third-party password manager). That will enable use cases like synchronizing passkeys between different ecosystems (depending on how open other platforms are).
What should developers do about devices and platforms that don't support passkeys?
Developers are recommended to keep the existing sign-in options in their app for the time being so that they will continue to be available for devices and surfaces that do not support passkeys.
Can a passkey expire?
No. This depends on the provider storing the passkeys and the RP (Relying party), but there's no common practice to expire passkeys.
Can an RP specify an account for the user to sign in with?
Relying parties (third-party apps) can populate the 'allowCredentials' with a list of credential IDs sent from their app backend indicating which passkeys should be used to authenticate the user.
Passkeys on Android & Chrome
Can Android apps use passkeys created in Chrome for authentication?
For passkeys created in Chrome on Android:
Yes, the passkeys created in Chrome are saved to Google Password Manager and available on Android and vice versa when users are signed into the same Google account.
For passkeys created in Chrome on other platforms:
If the passkey is created in Chrome on other platforms (Mac, iOS, Windows), then no. Check out the supported environments for more information. Meanwhile, users can use the phone they created the passkey on to sign in.
What happens to the credentials created before passkeys were introduced? Can we continue using them?
Yes, on both Chrome and Android, device-bound credentials created before we enabled synchronization, are available and can still be used for authentication.
What happens if a user loses their device?
Passkeys created on Android are backed up and synced with Android devices that are signed in to the same Google Account, in the same way as passwords are backed up to the password manager.
That means user's passkeys go with them when they replace their devices. To sign into apps on a new phone, all the user needs to do is to verify themselves with their existing device's screen lock.
Are both biometric and PIN or pattern screen lock setup on the device required for signing in with passkeys or is one of these enough?
One screen lock method is enough.
Is a passkey tied to a specific screen lock method like fingerprint, PIN or pattern?
It depends on the device platform and how they run the user verification. In the case of Google Password Manager, the passkeys are not tied to any specific authentication methods and can be used with any screen lock factor available (biometric, PIN, or pattern).
Can an RP still create device-bound credentials that aren't synchronized?
For the time being, non-discoverable credentials created in Chrome on Android, or in an Android app using the Play Services APIs, keep their existing behavior and thus continue to be device-bound.
When using passkeys, the device public key extension which is under development is a second, device-bound key that won't be synced and that can be used for risk analysis. However, this is not supported by any credential providers yet.
How does synchronizing passkeys to a new device work? Do users need to have access to the device they created a passkey on?
If the passkeys were saved to Google Password Manager, then all the user needs to do is sign in on the new device with the same Google account and verify themselves with their previous device's screen lock (PIN, pattern or passcode). The previous device is not required for the user to login to other devices.
If the passkeys were saved to a different credential provider, it will depend on the sign-in flows on new devices of that credential provider. Most credential providers synchronize the credentials to the cloud and offer ways to users to access them on new devices after authenticating themselves.
Privacy and security
Is the user's biometric information safe?
Yes, user biometric data never leaves the device and is never stored on a central server where it could be stolen in a breach.
Can a user sign in to a friend's device using a passkey on their phone?
Yes. Users can set up a “one time link” between their phone and someone else's device for the purposes of signing in.
Are passkeys stored in Google Password Manager protected if a user's Google account is compromised?
Yes, passkey secrets are end-to-end-encrypted. A compromised Google account wouldn't expose passkeys, because users also need to unlock the screen of their Android device to decrypt the passkeys.
How do passkeys compare to identity federation?
Identity federation is great for signing up to a service, as it returns the user's basic profile information such as name, and verified email address, which help bootstrap new accounts. Passkeys are great for streamlining users' reauthentication.