Google extends passkeys to Google Workspace accounts

After making passkeys available for consumers in early May, Google is now rolling them out for Google Workspace and Google Cloud accounts.

This feature will soon be available (in open beta) for more than 9 million organizations and aims to provide users with a hassle-free sign-in experience without the need for traditional passwords.

“While users can still continue using passwords to sign in to their work and personal Google Accounts, passkeys can offer a simpler and more secure alternative and can reduce the impact of phishing and other social engineering attacks,” said Google’s Jeroen Kemperman and Shruti Kulkarni.

Why passkeys?

Passkeys offer a new method of authentication that simplifies the login process while enhancing security. Users can now sign in using their fingerprint, face recognition, or other screen-lock mechanisms on their phones, laptops, or desktops.

Passkeys do not require users to remember or type anything, eliminating the risk of forgotten, easily guessed or compromised-by-malware credentials. They also cannot be written down or accidentally shared, further enhancing security.

“Google early data (March – April 2023) has shown that passkeys are 2x faster and 4x less error prone than passwords,” researches noted.

Google reserach has also shown that passkeys provide a higher level of protection against automated bots, bulk phishing attacks, and targeted attacks compared to other traditional methods like SMS or app-based one-time passwords.

“Phishing-resistance of passkeys is why users who are at high risk of targeted attacks and enrolled in the Advanced Protection Program can now use passkeys in addition to physical security keys,” Kemperman and Kulkarni added.

Passkeys for Google Workspace

Google plans to gradually roll out passkeys for users and provide controls for Workspace administrators over the next few weeks.

“Administrators can allow users in their organizations to skip passwords at sign-in using a passkey. By default, this setting is off, which means that users can’t skip passwords during sign-in, but can still create and use passkeys as a 2-Step Verification (2SV) method,” they explained.

To protect users’ privacy and data, biometric data will never be transmitted to Google’s servers or any other websites and apps.