Google over the past week has been rolling out new features and capabilities aimed at making users’ desktop experience on Chrome safer, with the latest step being extending the capability to save passkeys across multiple devices.

Until now, Chrome web users could only save passkeys to Google Password Manager on Android and use them on others devices by scanning a QR code using their Android device.

However, now they can save passkeys to Google Password Manager from devices running Windows, macOS, Linux, and Android. ChromeOS now is available for testing in beta and iOS support is coming soon, according to Chirag Desai, product manager for Chrome.

This is being done via Google’s new Password Manager PIN, which Desai wrote ensure that passkeys are end-to-end encrypted and can’t be access by anyone else – including Google.

“Once they’re saved, they’ll automatically sync across your devices, making signing in as easy as scanning your fingerprint,” he wrote in a blog post.

Another Step to Passwordless

Passkeys are becoming an increasingly popular alternative to famously passwords for authenticating identification. Vendors like Google, Microsoft, and Apple have joined with the Fast Identity Online (FIDO) Alliance is pushing for a phasing out notoriously insecure passwords – that can be easily brute-forced by hackers and are difficult for users to remember – in favor of other authentication methods, including passkeys.

Users can sign into applications and websites using passkeys through biometric methods – such as fingerprints or face scans – or a lock screen PIN, which for Google is a six-number code. According to a survey late last year by FIDO and LastPass, 89% of IT decision-makers surveyed said that their organizations will use passwords for fewer than 25% of logins within five years and 92% have plans in place to adopt passwordless technologies more broadly.

Passwords won’t disappear. There are too many applications and sites that will continue using them. That said, it’s likely their use will decline.

“When you start using passkeys on a new device, you’ll need to know either your Google Password Manager PIN, or the screen lock for your Android device,” Desai wrote. “These recovery factors will allow you to securely access your saved passkeys and sync new ones across your computers and Android devices.”

He noted the growing number of websites and applications, such as Google, Amazon, PayPal, and WhatsApp, already support passkeys and Google’s new Password Manager PIN will make it easier for Chrome users to embrace them.

Bulking Up Post-Quantum Encryption

The new capability is the most recent move by Google to harden security around Chrome. Earlier this week, Google said it will upgrade its post-quantum cryptography standard with the upcoming release of Chrome 131 expected in early November.

The National Institute of Standards and Technology (NIST) two years ago selected four post-quantum encryption algorithms for standardization and a year later released three of them. Google adopted one of them and earlier this year enabled the latest version a hybrid version of post-quantum encryption that included the pre-quantum X25519 algorithm and post-quantum Kyber TLS algorithm for all Chrome desktop platforms starting with Chrome 124. NIST’s standardization of Kyber wasn’t yet completed.

In August, NIST rolled out the first three standards, including one – ML-KEM – that Google is now switching to. According to Google, NIST has since standardized Kyber with minor technical changes and renamed its Module Lattice Key Encapsulation Mechanism, or ML-KEM. It’s in Google BoringSSL cryptography library, so services that use the library can deploy the standard.

The minor technical changes made ML-KEM incompatible with the Kyber version Google had adopted, thus necessitating the switch. The Chrome team at Google wrote in a blog post that it made no sense to support both at the same time, given that Kyber was experimental and that the post-quantum cryptography space is “too big” – pointing to a column by Google product manager David Adrian – to offer two post-quantum key share predictions at the same time.

“We do not want to regress any clients’ post-quantum security, so we are waiting until Chrome 131 to make this change so that server operators have a chance to update their implementations,” the team wrote.

The rush to post-quantum encryption now is the concern that once quantum computers come into broad use years from now, they will be able to easily crack current encryption codes. Another worry is that hackers can steal encrypted data web traffic now and store it until they can use quantum systems to break the code.

More Permission Features

The day before announcing the switch to ML-KEM, Google unveiled new safety features in Chrome to protect users from threats and give them more control over their data. They include a revamped Safety Check feature that now runs automatically on Chrome in the background and can protect users against abusive notifications by automatically revoking notification permissions from sites that Google’s Safe Browsing feature says is deceiving users into giving the permission.

Safety Check also will inform users of actions its takes, from revoking permissions from sites they don’t visit anymore to flagging possibly unwanted notifications.

In addition, users with Pixel devices – and soon, other Android devices – will be able to tap an “unsubscribe” button to stop receiving notifications from sites, a capability that Andrew Kamau, a Chrome product manager, wrote in a blog post has reduced the volume of notification on supported Pixel devices by 30%.

Another feature lets Chrome users on Android and Desktop to give one-time permissions – such as access to their camera or mic – to a site.

“Once you leave the site, Chrome will revoke the permissions,” Kamau wrote, adding that it enhances online privacy. “The site won’t be able to use those permissions until you explicitly grant them again.”