Summary
- Google’s Credential Manager is an API that’s supposed to simplify logins and enable passkey support on Android.
- The Credential Manager automatically detects if multiple sign-in options are available for the same account and prioritizes the most convenient one for the user.
- Third-party password managers can also hook into the API to make their passkeys available for use.
Passkeys are the latest step forward when it comes to protecting your precious data. They’re meant to replace passwords and two-factor authentication, all in one. However, with so many different authentication options available these days, it gets harder to remember which method you’re using to sign in to which service. Google is looking to combat this problem on Android with its new Credential Manager, an API developers can use to automatically guide you to the right login method in their apps.
The Credential Manager has been available in testing for about a year, and Google is now bringing it to the masses starting with November 1, 2023. As the Credential Manager rolls out across devices, developers will be able to rely on it to guide you through the login process. Along the way, the Credential Manager also enables simple and standardized support for passkeys for Android apps. Some popular services like WhatsApp and Uber are already using Credential Manager.
The Credential Manager will automatically notice if you’re using multiple sign-in options for the same account (think a password, a passkey, and the “Sign in with Google” option) and pick the most convenient one for you automatically, without forcing you to dig through multiple options for a single account. Instead, it prioritizes listing different accounts you might have with a given service, making it simple to switch between your personal account and your family account, for example.
If you use Google Password Manager, the Credential Manager interface with its card that slides out from the bottom should be familiar. However, Credential Manager also allows all the best third-party password managers to hook into the interface. It even works when you use more than one.
Google showcases an example where someone uses 1Password for their personal logins and Enpass for their school logins, with passkeys from both services automatically displayed alongside each other. This is a big step ahead compared to the legacy autofill option, which forces you to pick a single default service.
Apart from eliminating the need to come up with and remember passwords for different services, passkeys are also more resistant to phishing attacks. The technology behind passkeys only works on the URL it was configured for (think google.com but not googlc.com). In contrast to a password, a passkey is also never shared with the website you’re logging in to. Instead, the website you’re visiting and your passkey are matched using fancy math to ensure that your private, secret passkey and the website’s public key match.
On top of this, studies consistently show that passkey sign-ins are plainly less prone to error. Google cites password manager Dashlane, which sees a 92% success rate when logging in with a passkey rather than only 54% when attempting to autofill a password.
link