Sites like google and github offers to use passkey instead of the traditional user name and password pair. They claim it is more secure and passwordless but it needed some searching to figure out what it is exactly and it was not easy to set up for google (on a desktop pc).
A passkey is a digital credential which is tied to a device. You still need a password if you want to login from another device. With passkey you do not need the second factor (it is the used device). For me it is a big plus.
You need windows hello pin to create a google passkey. When I tried to create a passkey without windows hello google only said I can not do it and only gave a list of possible reasons. On my desktop there is no finger print reader, the camera is not compatible with windows hello so I set up the PIN. It is called PIN but it may contain characters as well, I use only numbers.
When you set up a passkey, a pair of cryptographic keys (public and private) is generated. The private key is stored on your device, the public key is shared with an online service.
If you want to use your passkey you have to identify yourself with windows hello pin (or fingerprint) before you can access your private key. So it can not happen that someone sits to your desktop and uses your passkey. So it is not completely passwordless but you use the PIN only locally. The private key does not leave your machine (unlike a password) so that is why it is said to be more secure.
With the private key a message is encoded which says who you are, what is your device, what is the time. This message can be decoded by public key. If everything is correct then the access is granted.
You have to create a separate passkey for each device you use but passkeys can be synced across devices for supported ecosystems, like android or apple. It seems it kills the original purpose that the passkey is device specific. But the sync in this case means that in the background a new passkey is created for the new device.
Here comes the tricky part creating a google passkey.
- google account / security / passkeys and security keys / Save another way !!! / Windows hello
If you do not select windows hello then the passkey is saved to to the google account and you can not use it to enter into the google account. Now you can login to google
- select the passkey option / select windows hello / enter windows hello pin
On github there was no such problem but I have two github account, it is not obvious to choose the correct passkey. When I press the Sign in with a passkey button at github I can select the account1 or I can press the use a different passkey button and press the Windows hello or external security key button. Now the account2 is used at once.
- Settings / Accounts / Sign-in options / Windows Hello PIN
then the password filler will ask the PIN every time. You can turn this off: chrome / settings / autofill and passwords / password manager / settings / Use windows hello when filling passwords.
UPDATE
The "save another way" option does not show for everybody. Someone created a google passkey and the dialog did not show up. The only option was to save to windows hello pin.
