General passkey questions
Who supports passkeys?
Because passkeys are based on FIDO standards, they work on Android and Chrome, along with many other popular ecosystems and browsers such as Microsoft Windows, Microsoft Edge, macOS, iOS and Safari.
See Supported environments to check our support status. Chrome on Android fully supports passkeys. For Android apps, we aim to have an initial library for passkey support available by the end of 2022.
For the current state of availability in other ecosystems, refer to their respective documentation.
Can I move synchronized passkeys from one platform provider to another?
Each device / platform may offer different experiences and controls. But a user can always register a second credential with a site and remove the first, effectively “moving” from one to the other.
Is the user's biometric information safe?
Yes, user biometric data never leaves the device and is never stored on a central server where it could be stolen in a breach.
Can a user use a passkey on their phone to sign in on a friend's device?
Yes. Users can set up a “one time link” between their phone and someone else's device for the purposes of signing in.
For more questions, see Passkeys FAQ.
Google-specific passkey questions
What happens to the credentials created before passkeys? Can we continue using them?
Yes, on both Chrome and Android, FIDO credentials created without synchronization can still be used for authentication.
Can an RP still create device-bound credentials that are not synchronized?
Non-discoverable credentials created in Chrome on Android, or in an Android app using the Play Services APIs, keep their existing behavior and thus continue to be device-bound.
When using passkeys, the Google Password Manager supports the device public key extension. The device public key is a second, device-bound key that will not be synced and that can be used for risk analysis.
What happens if a user loses their device?
Passkeys created on Android are backed up and synced with Android devices that are signed in to the same Google Account, in the same way as passwords are backed up to the password manager.
That means user's passkeys go with them when they replace their devices. To sign into apps on a new phone, all the user needs to do is to verify themselves with their existing device's screen lock.
Is there an additional mechanism to protect stored passkeys when a user's Google account is compromised?
Yes, passkey secrets are end-to-end-encrypted. In addition to access to the Google account, you also need to provide the screen unlock of your old device to decrypt the passkeys.