What Google Did Without Telling You
Starting in 2023, Google began automatically creating passkeys on any Android device where you were signed in. No opt-in. No announcement you would have noticed. Just a quiet background process that registered your phone as a trusted authentication device.
The result: every Android phone that ever had your Google account on it — including devices you traded in, gave away, or forgot about — got registered as a passkey device. When you try to log in from a new machine, Google offers these phantom phones as verification options. Since they are no longer in your possession or are simply off in a drawer, the "approve on your phone" prompt goes nowhere.
This is not a security breach. It is Google aggressively pushing a transition to passwordless login in a way that created real friction for millions of normal users — especially anyone with multiple devices, old Android phones, or a habit of logging in from Linux machines.
Why Linux Gets Hit the Hardest
On Windows or Mac with Chrome, Google can often verify you silently through the browser itself. On Linux, especially in Firefox or a non-Google browser, there is no such shortcut. Google falls back to its registered 2-step options — and if the top options are three old Android phones, you are stuck cycling through dead ends until you find something that works.
The "remember this device" checkbox does not help much either. Google's trusted device memory is tied to browser cookies and can expire or reset unexpectedly, especially after browser updates or cache clears. So even after you successfully log in, the next session may start the whole dance over again.
This also explains why your iPhone eventually saved you — Google's mobile app can detect a login attempt on a nearby device through its standard Google prompt system, which still works even when the passkey flow fails. It is a more reliable fallback, just not an obvious one.
The Exact Steps to Clean It Up
This takes about ten minutes and makes a meaningful difference. Do it from any device where you are already logged into Google.
Step 1 — Remove old passkeys. Go to myaccount.google.com/security and click Passkeys and security keys. You will likely see Android devices listed as "Created automatically by Android." Click each device name and delete every passkey tied to a phone you no longer use regularly. Keep your current phone if it is listed.
Step 2 — Sign out old devices. Go to myaccount.google.com/device-activity or navigate to Security → Your devices. Click each old Android phone, old session, or unknown device and choose Sign out. Pay attention to anything marked "48 minutes ago" or recently active that you do not recognize — that is a device still holding a live session.
Step 3 — Remove old phones from Google prompt. Back on the Security page, click Google prompt. Remove every device that is not your current primary phone. This stops old phones from appearing as 2FA options during login.
Step 4 — Turn off Skip password when possible. On the Security page, find Skip password when possible and turn it Off. This forces Google back to a standard password prompt instead of routing you through the passkey flow. It is the single most impactful change for anyone who just wants a normal login experience.
Step 5 — Set your preferred 2-step method. Under 2-Step Verification phones, confirm your current phone number is listed. Remove any numbers that belong to old phones. Now when Google asks for a second step, it will text your actual phone — not offer you a carousel of dead Galaxies.
After these changes, logging in from Linux should behave like it did years ago: email, password, then a text message code. Boring. Reliable. Exactly what you want.
Should You Use Passkeys at All?
Passkeys are genuinely more secure than passwords in theory — they cannot be phished, they cannot be leaked in a data breach, and they do not require you to remember anything. The problem is the transition is messy, the device-dependency creates real access problems, and Google's implementation has been aggressive enough to confuse people who were perfectly happy with what they had.
If you use one device, keep it with you, and mostly access Google through Chrome — passkeys probably work fine for you. If you work across Linux, Mac, Windows, and mobile, or if you have a history of Android phones, the current passkey experience is not ready for you. Turning off "Skip password when possible" is not giving up on security. It is choosing a login flow that actually works for how you live.
It is also worth noting that just because Google turned off a visible layer does not mean your account is less protected. You still have 2-step verification. Your password is still there. The account is not weaker — just less annoying.
One More Thing Worth Checking
While you are in the security settings, it is worth reviewing Linked apps in the left sidebar. Over the years, dozens of services accumulate OAuth access to your Google account — apps you signed into once and never used again. Each one is a potential surface for a breach. Revoking access from anything unfamiliar takes thirty seconds and is a reasonable habit to get into once a year. Google's account security is a lot like a browser's stored cookies — the data accumulates quietly until it causes a problem you did not expect.