Passkeys give users a simple and secure way to sign in to Apple and authenticate without passwords. Gemini in this first phase of development only supports passkeys as a way to authenticate, and can be used in place of another two-factor authentication method.
What are passkeys: if you want the technical details
At a technical level, a passkey is an asymmetric keypair, stored securely on the device's Secure Enclave, and is never exposed to an application process via a strictly minimal API.
Passkeys are expected to be used in conjunction with a backend supporting the Webauthn protocol. A backend server provides a challenge, the mobile app signs the challenge with its private key, and then the backend server is able to verify the signature using a previously registered public key.
Passkeys can also be used to authenticate across platforms. A user can begin to authenticate with a web browser that doesn't actually have a valid keypair. It can prompt the user to either insert a USB key or use a QR code. The QR code is used to establish an encrypted connection with a user’s mobile device. This is called CTAP2. It allows the user’s device to securely sign the challenge and then relay it back to the server. This allows you to authenticate through a device you may not be comfortable exposing your password to.
Why should I use passkeys?
Passkeys keep your account safe and secure more so than other authentication methods by reducing fraud and account takeover scenarios. Accounts registered with passkeys are not phish-able, and are inherently more secure than other 2FA mechanisms we have of email or phone verification. The private key is never exposed, not even to the app.
How do I opt-in?
Opt-into passkeys by navigating to your Account Settings > Security on web or mobile and locate “passkeys.” From there, you can easily create a passkey for 2FA use during login and withdrawal flows.
What if I’m an Android user?
Passkeys are only available for web platforms and iOS mobile devices. Google is actively working on their own solution for the Android operating system, and once that is available Gemini will expand the use of passkeys across all platforms.
How do I authenticate using passkeys?
Once you are opted-into passkeys, it will become your default 2-factor authentication method across both web and mobile for all relevant flows i.e. login and withdrawals.
Passkeys that are created on a given device will simply require biometric authentication for 2FA use. If you are using passkeys to authenticate on a non-primary device where the passkey isn’t directly stored, the device will prompt a QR code to connect to the primary device. For example, if you set up passkeys on your phone, and then login on your computer, you will be prompted to scan a QR code from the web experience. Open up the camera app on your phone to scan the QR code, and follow the instructions to finish authentication.
Am I eligible?
All Gemini operational countries are eligible for Passkey usage at time of launch. Per above, if you are and Android user, passkeys aren’t currently available for use on those devices.
Upcoming improvements to Passkeys on Gemini
In the coming months, Gemini will expand passkeys use for login as well as authentication. On iOS devices, once enabling passkeys, users will be able to simply rely on biometric methods of auth (Face ID or Touch ID) to gain access to Gemini web and iOS mobile app.
This improvement will allow users to login without user or password credentials, alleviating a common pain point when customers forget their passwords or just don’t want to have to type in a long user password.
Additionally, as soon as passkey parity is achieved by Google, Gemini will also work to support their solution so users are covered across devices and platforms.