User authentication with passkeys

Passkeys are a safer and more convenient replacement for passwords. With passkeys, users can sign in to apps and websites using biometrics (such as a fingerprint or facial recognition), PIN, or pattern. This provides a seamless sign-in experience, freeing your users from having to remember usernames or passwords.

Key points

Keep in mind the following considerations when using passkeys:

  • Introduce passkeys at the right moment to help users stay engaged and adopt this new sign-in method.
  • Make passkeys the default option to help users adopt the simplest and safest sign-in method.
  • Keep information about passkeys consistent throughout the product to help users learn about passkeys.
  • Use the passkey icon to create a consistent understanding and login experience.
  • Use the Credential Manager API to implement passkeys in your app.
  • Use Credential Manager API to consolidate sign in options (passkeys, passwords and federated sign-in solutions). There is no need to list out all sign in options up front.
  • Give your users an opportunity to create a passkey after sign-in with a password or other options.

Get Started

Account creation and login can be a major source of confusion and app abandonment. Provide a simple and cohesive authentication experience for your users. Credential Manager is a Jetpack API that supports multiple sign-in methods, such as username and password, passkeys, and federated sign-in solutions, such as Sign-in with Google in a single API. This unifies the sign-in interface across authentication methods, making it clearer and easier for users to sign into apps, regardless of the method they choose.

Your app's authentication and account management user flows can include passkey for a more simplified and secure experience.

Authentication flows typically consist of the following elements:

  • Login screen
  • Sign-up screens
  • Account recovery
  • Account settings

Create these screens for your user to create an account and login to their account.

Utilize progressive disclosure with account creation, and divide the flow into multiple steps. Create steps no smaller than two to three items per screen, since users are more likely to abandon sign-up with too many steps. Minimize the amount of information you gather during sign. Be mindful of your user's privacy by allowing them to optionally fill in information later. When creating an account with a password, avoid overly complicated password requirements.

Credential Manager API provides the passkey UI, as bottom sheets components, for multiple passkey and sign in options.

Support passkey

Learn more about how to support Credential Manager in your app to sign up users.

Use Google’s passkey icon to create a unified user experience for passkeys on Android. This makes it easier for users to recognize the new sign-in method and helps to increase adoption. For consistent use and to optimize for readability, we’re limiting the use to the filled version. For more information about using the icon in your products, see Material icon.

icon in light theme icon in dark theme

Icon in light theme

Icon in dark theme

You can download the passkey icon directly from Google fonts.

Passkey user journeys

In your app, passkeys should account for the following user experiences.

Create and save a passkey

We recommend promoting passkeys in the following ways:

  • For new accounts, promote passkeys during account creation.
  • For existing accounts, promote passkeys during account recovery and after signing in.
  • Promote passkeys in the account settings, as users are already in the account management mindset.

When prompting passkey creation, ensure that the prompt content is consistent across all surfaces of the product.

The account creation moment

When users are creating a new account, they are already thinking about how they will sign in to that account in the future. This is a good opportunity to introduce them to passkeys and explain how they can use passkeys to sign in faster.

passkey account creation

Make passkeys the default option for account creation

When users create a new account, make passkeys the default option over passwords. However, offer users a fallback option if they dismiss the passkey creation screen. This helps users who want to use another sign-in option to still create an account. For first-time users, Credential Manager displays a passkey education screen. To help them learn more, consider adding a link to learn more about passkeys on either the sign-up screen or fallback screen.

Do

Make passkeys the primary way for users to sign up.

Provide users with a way to sign in without creating a passkey if they dismiss the passkey creation screen. On the fallback option page, continuously display the passkey option in case of error or accidental dismissal.

Don't

List all sign-up options together.

Do

Make the prompt content concise to give key benefits of passkeys. Provide a button or link that users can use to learn more.

Communicate to users the status of account and passkey creation

Keep users informed about what's going on during account creation. This increases user confidence in passkeys and the product as a whole.

Do

Display a confirmation message to let users know their passkey creation has been successful.

Don't

Skip a confirmation message after passkey creation.

The account recovery moment

Users who have tried to recover their accounts using their old password and failed may be more likely to adopt passkeys.

Prompt users to create a passkey when they reset their password

Encourage users to create a passkey when they try to reset their password. Consider prompting users to create a passkey for other account recovery use cases.

account recovery

explain

Explain to users the benefits of passkeys in the account recovery screen. Include the passkey icon to increase familiarity with the method throughout the passkey creation flow.

Prompt users to create a passkey at the end of password reset as users may find it time-consuming to create and save a new password.

Guide users on how to fix a problem about their passkey

When users request help to fix a problem about their passkey, add troubleshooting steps or link our help center article.

link to help

Add a button or link that users can use to find tips or troubleshoot problems with their passkey.

The moment immediately after signing in

Users may have difficulty remembering their passwords when signing in. Help them save time and frustration by encouraging them to create a passkey immediately after signing in with a password or other options.

after sign-in

Display a passkey prompt immediately after signing in with a password or other options.

The account management moment

For existing accounts with passwords or other sign-in methods, display a passkey prompt in the account settings to help users upgrade to a passkey. Ensure that the user is not creating duplicate passkeys for the same username in the same password manager.

Sign in with a saved credential

Users can initiate a sign-in flow by tapping a sign-in button. The Credential Manager's account selector then appears. Users can select an account to sign in with, and then unlock the screen to verify. If they don't have a saved credential or don't want to select one, they can dismiss the account selector and sign in by typing a password or using other traditional sign-in methods.

Unified sign-in

Credential Manager brings together passkeys and traditional sign-in methods such as passwords and "Sign in with Google". On devices with Android 13 or lower, passkeys and passwords are saved and retrieved from Google Password Manager. That way, if a user loses their Android-powered device, they can always restore their passkeys on another Android-powered device by signing in with their Google Account. On Android 14 and higher, we support all enabled credential providers on a given user's device for storage and retrieval of credentials. The Android system aggregates credentials from different providers, and presents them to the users in a bottom sheet.

  1. One account from Google Password Manager
  2. Three accounts from multiple providers

Combine all supported sign-in methods when interacting with the Credential Manager.

Don't

Display a separate button or link to trigger each of the supported sign-in methods.

Simple experience with consolidated sign-in methods

Credential Manager makes the sign-in experience simpler by consolidating the sign-in methods for each account and surfacing the safest and simplest authentication method. For example, if the user has both a password and a passkey for their account, the system proposes using the passkey, the safest and simplest option.

Our users may use multiple password managers to sign in to apps, which means they might have multiple saved passkeys under the same username for the same service. In this case, we organize them by last-used time and display one in the sign-in screen. However, if the user prefers to use a different method, they can tap on "Sign-in options" in the sign-in screen to choose an alternative option.

Manage saved credentials in the app's settings

  1. Before creating a passkey
  2. After creating one passkey
  3. After creating multiple passkeys

Make passkey information simple to scan and understand

Unlike passwords, which are tangible combinations of letters, numbers, and symbols, passkeys are largely invisible to people. To help users understand which passkey is being referenced in a settings UI, it is important to display meaningful content about a single passkey, such as the passkey icon, device name, last time used, and buttons to manage it.

Do

Offer an ability to revoke a passkey.

Don't

Use the term remove when removing a passkey. Use revoke as the private half of the passkey may not be deleted during the revocation process.

Provide an email or phone fallback to help users to recover their account if revoking a passkey leaves users without any sign-in method for this service.

Consider displaying the passkey prompt again if they revoke all of their passkeys.