Passkeys are created on, saved to, and synchronized across devices through a password manager. For example, passkeys created on a website on Chrome on Android are stored to the Google Password Manager by default, and then synchronized to different environments where Google Password Manager is available, such as Chrome on macOS, Windows, Linux and ChromeOS. The user can choose which password manager to store a passkey to or to authenticate a passkey from depending on the environment. The user's password manager is opaque to the RP (relying party) until a credential is returned.
Google Password Manager
Google Password Manager stores, serves and synchronizes passkeys on Android and Chrome. Google Password Manager is enabled by default as a passkey provider on Android and available for all apps including Chrome and other browsers. Chrome on desktop operating systems (Windows, macOS, Linux and ChromeOS) comes with Google Password Manager support as well.
When a user creates a passkey with Google Password Manager, it's synchronized and end-to-end encrypted. If the first passkey for Google Password Manager is created on desktop, Chrome asks to create a Google Password Manager PIN and it will be used. The user needs to sign in to their Google Account and enter their Android device screen lock or Google Password Manager PIN to decrypt a synced passkey on a new environment.
Passkey support on Android
Credential Manager
Android apps support passkeys through the Credential Manager Jetpack library. Credential Manager handles different credential types such as passkeys, passwords and identity federation. Passkeys are supported on devices that run Android 9 (API level 28) or higher. Passwords and Sign in with Google are supported starting with Android 4.4.
On many devices, Credential Manager stores passkeys to Google Password Manager by default. Users can choose other password managers as its passkey providers in the System Settings on Android 14 or higher.
The user can choose to sign in using a passkey stored on another device. For example, when a passkey is stored on an iPhone and the user is trying to sign in on an Android app that doesn't have a passkey on it, the user can choose to "use a different phone or tablet" to show a QR code on the Android device, then scan it using the iPhone and authenticate cross-device.
Passkey support on Chrome
Chrome on Android, macOS, Windows, Linux and ChromeOS (still in beta) stores passkeys to Google Password Manager. Chrome on iOS or iPadOS stores passkeys to iCloud Keychain by default. On authentication, Chrome suggests signing in with a passkey stored to one of password managers available on Chrome.
Chrome on all platforms supports cross-device authentication. To use a passkey from your Android or iOS device, select the appropriate option when asked. To learn more about cross-device authentication user experience, read Sign-in with a phone.
Android | macOS | iOS/iPadOS | Windows | Linux | ChromeOS | |
---|---|---|---|---|---|---|
Google Password Manager | 1 | 2 | ||||
Cross-device authentication |
Android
Chrome on Android OS 9 or higher supports passkeys. Passkeys generated in Chrome on Android are stored in the Google Password Manager. Google Password Manager syncs passkeys and makes them available on other platforms as well.
On Android 14 or higher, passkeys on Chrome on Android can be created and stored in any password manager that's selected in the System Settings as a passkeys provider.
iOS / iPadOS
Chrome on iOS 16 and iPadOS 16 or higher support passkeys. Passkeys generated in Chrome on iOS and iPadOS are stored in the iCloud Keychain. iCloud Keychain syncs passkeys and makes them available on other Apple devices where the user is signed in with their Apple account.
Windows
Chrome on Windows that has TPM supports passkeys. Passkeys generated in those environments are stored in the Google Password Manager.
If the Windows device doesn't have TPM and is Windows 10 19H1 or higher, Chrome creates passkeys on Windows Hello. Windows Hello stores passkeys locally and does not synchronize them.
macOS
Chrome on macOS supports passkeys. Passkeys generated in Chrome on macOS can be stored in the Google Password Manager or in iCloud Keychain (macOS 13.5 or higher). Passkeys in iCloud Keychain are synchronized across the user's Apple devices and can be used by other browsers and apps.
Chrome on macOS can also store passkeys on Chrome profile if the user chooses to, which aren't synchronized to other environments.
Linux
Chrome on Linux supports passkeys. Passkeys generated in Chrome on Linux are stored in the Google Password Manager.
ChromeOS
Chrome on ChromeOS supports passkeys. Passkeys generated in Chrome on ChromeOS are stored in the Google Password Manager (still rolling out).