Skip to main content
Bigdogburr
BigdogburrGoogle Team
Google Team
February 12, 2026

The Secure Element Podcast - Episode #6 Passkeys

  • February 12, 2026
  • 6 replies
  • 514 views

Hey Friends,

Episode 6 of The Secure Element is live, and this month, we’re diving into Passkeys.

I sat down with Harsh Lal, Senior Software Engineer for Android Authentication at Google, and co-chair for the FIDO Alliance Financial Group, to explore what this next evolution of authentication means for both personal and enterprise security.

We dive into:

  • The password problem: Why complexity rules and password reuse create “keys to the kingdom” for attackers.
  • Hardware-backed security: How passkeys live in your device’s Secure Element, making them virtually impossible to fish or extract.
  • Enterprise readiness: Integrating passkeys with SSO providers and how to manage them.
  • Hybrid flows: Using your phone to securely unlock apps on your work laptop via encrypted proximity tunnels.

Listen to the episode here: 


Deep Dive
To learn more check out Harsh’s blog series which tracks the evolution of FIDO experiences on Android, and explores how passkeys work across devices via Hybrid transport to make passwordless authentication available everywhere.

Share your thoughts and questions - we’d love to hear how your organisation is approaching a passwordless future!

Stay secure,

Burr

 

Missed an episode? Catch up here:

    6 replies

    Lizzie
    LizzieCommunity Manager
    Community Manager
    February 13, 2026

    Thanks @Bigdogburr for a very interesting podcast - it's great to kickoff a conversation on passkeys and authentication. I feel like this is an area it would be great to speak more on. 

     

    I want to do a shout out to @Rakib for creating a topic late last year on passkeys. Your post and comments were really thoughtful and so we wanted to provide a bit more information on passkeys here in the community - so thank you.  This podcast is very much a starting discussion, and would love to hear more from you and the rest of the community on authentication, so please do share any questions you have below. 

     

    Once again, thought you might be interested in this next episode - it would be great to hear what you think and if this is an area of interest @Moombas, @Michel, @Alex_Muc, @jarmo_akkanen, @davidguill, @Mikey123456, @DenisBrentel, @xirlamaister, @italianAlexEng, @naren_malepati, @Etienne, @BenMcc, @mattdermody, @Yann_ROLAND, @Magcho, @jeremy, @Kris, @Vin2K, @jasonbayton, @NazD, @SF4, @weberda, @Flo, @Kristen, @MelkonTorosyan, @turquet, @Marcel_K_XDMT

     

    Lizzie

    Welcome to the Community everyone!
      jasonbayton
      jasonbayton
      Level: 4.1: Jelly bean
      February 13, 2026

      Thank you Mike! Insightful as ever. I've been enjoying moving many things to passkeys and hadn't given much of this a lot of thought.

        Michel
        Michel
        Level 4.0: Ice cream sandwich
        February 16, 2026

        Another interesting one, thanks @Bigdogburr

        I have to admit that I don't really use them, but thats mostly because I don't know enough about them. I really should get started with it and this video helped with a bit more background information. 

         

        People around me, enterprises and individuals, don't use them either. It's not that common yet, at least not here, I think. 

        Alex_Muc
        Alex_Muc
        Level 3.0: Honeycomb
        February 17, 2026

        Passkeys are pretty cool. The only problem is that for many people, they are not as easy to grasp and understand like a normal password. In addition, there are quite a few bigger platforms that do not yet support passkeys. This page can be useful for getting an overview:
        https://passkeys.directory/

         

        From 18:37 onwards, the video is about cross-device/hybrid flows. My first attempt with such a QR code failed immediately with a big eCommerce website an a work laptop (VPN connection to a corporate network, Proxy configured in the browser). 😅 I'm not sure if the proxy is the cause of the problem. In any case, the experience on a device without VPN/proxy was very good with the hybrid flow. 🙂

        harshlal
        harshlalGoogle Team
        Google Team
        March 10, 2026

        Glad to hear about your experience. [Industry](https://fidoalliance.org/members/) is supporting Fido alliance in a big way for passkeys work and adoption. You should start seeing passkeys at more places going forward as industry moves away from password based authentication to passkeys.

        Hybrid flow is also continuously being upgraded to bring the benefits of passkeys to everyone. Here are some more posts that might help demystifying it further:

        1. https://bughunters.google.com/blog/passkeys
        2. https://bughunters.google.com/blog/hybrid-protocol-the-JSON-upgrade
        3. https://bughunters.google.com/blog/hybrid-transport-goes-offline

        More to come in future.

          Rakib
          Rakib
          Level 3.0: Honeycomb
          March 27, 2026

          We have enabled passkeys in our company and I also use it privately. For our enterprise use, we do see a benefit with passkey and fido2 keys together with shared devices. The end user do not need to write down their user name or password, just bring your key and you are logged in. We are just missing the user experience to make that happen in real life.

            Lizzie
            LizzieCommunity Manager
            Community Manager
            March 27, 2026

            Thanks ​@Rakib, it’s great to hear this. Yeah, from seeing comments in the community and I think just speaking to friends about this, it feels like in general the idea of passkeys is a positive one, but the natural habit of creating them/using them isn’t fully there yet - even from a consumer point of view - so it’s understandable that this would be the same for enterprise. Do you think anything could help here to improve this? From both a habit/best practices point of view, to any of the Android development side too? 

            Welcome to the Community everyone!
            Rakib
            Rakib
            Level 3.0: Honeycomb
            April 8, 2026

            One thing that I mentioned in my original post is that Android starts blinking when inserting a fido2 key that supports OTP. So I want that fixed,

            AbeSummers
            AbeSummers
            Level 1.5: Cupcake
            April 10, 2026

            Just posting here as per ​@Lizzie’s suggestion. 

            Is there any update at all on NFC Compatibility for CTAP2 on Android? According to the release notes here Google System Services Release Notes - Help, CTAP2 works for NFC since January. Just do a search for "nfc" or look at Security & Privacy under January 2026.

            Except it doesn’t. I’ve tested on multiple Android Devices, all up to date. I’ve ensured the Play Services are up to date, the Security Update is up to date and the Google Play System is up to Date.

            The issue isn’t with the thing I’m authenticating against since it works all okay on iPhone for the same services. For the record, iPhone have had NFC CTAP2 for a few years now.

            I know there is the Bridge App made by Token2 but it doesn’t work for our use case since we use Entra Shared Mode on our devices and that prevents other apps from showing up in “Additional Providers”.

            Can’t use USB either since our devices are NFC only.

              Terms & ConditionsCookie settingsAccessibility statement