Beyond the password: Google Workspace brings a major security innovation to customers with passkeys

Passwords have been used with computers for over 60 years, but, today, they’re simply no longer sufficient in keeping users’ and organizations’ data safe. Phishing attacks continue to grow in their scale and sophistication by taking advantage of security weaknesses in passwords. For example:

• Over 60% of data breaches in 2021 involved stolen credentials or phishing
• Data breaches caused by phishing cost organizations $4.91 million on average in 2022
• Phishing attacks grew 61% in 2022, reaching 255 million in a six-month period

Over the past decade Google has been at the forefront of the battle against phishing and password-related threats, including with our automated defenses powered by Google AI. We championed the development of physical security keys and their standardization under the FIDO Alliance. As a generally simpler and more secure alternative to passwords, passkeys represent the culmination of this work to bring phishing-resistant technology to billions of people worldwide. In early May, we made passkeys available as an additional sign-in option for personal Google Accounts. Starting today, in an open Beta, more than 9 million organizations can allow their users to sign in to Google Workspace and Google Cloud accounts using passkeys instead of passwords.

Passkeys introduce meaningful security and usability benefits to users, and we’re thrilled to be the first major public cloud provider to bring this technology to our customers — from small businesses and large enterprises to schools and governments. While users can still continue using passwords to sign in to their work and personal Google Accounts, passkeys can offer a simpler and more secure alternative and can reduce the impact of phishing and other social engineering attacks.

What are passkeys?

Passkeys are a new, passwordless sign-in method that can offer a convenient and secure authentication experience across websites and apps, allowing users to sign in with a fingerprint, face recognition, or other screen-lock mechanism across phones, laptops, or desktops. Passkeys are based on an industry standard and available across popular browsers and operating systems that people use every day, including Android, ChromeOS, iOS, macOS, and Windows. Unlike passwords, passkeys don’t need to be remembered or typed and cannot be written down or accidentally given to an adversary. Passkeys are simply easier to use. In fact, Google early data (March – April 2023) has shown that passkeys are 2x faster and 4x less error prone than passwords. 

Passkeys are based on the same public key cryptographic protocols that underpin physical security keys, such as the Titan Security Key, and therefore can be resistant to phishing and other online attacks. In fact, Google research has shown that security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication (2FA). Phishing-resistance of passkeys is why users who are at high risk of targeted attacks and enrolled in the Advanced Protection Program can now use passkeys in addition to physical security keys.

Snap Inc. has already leveraged passkeys to help reduce the burden of password management and strengthen security for their employees: “Partnering with the Google Workspace team to move from passwords to passkeys reduces the risk of password leakage and account takeovers of our employees,” said Jim Higgins, CISO, Snap Inc. “Our Corporate Security team is deepening our security partnership with Google and is excited to expand the adoption of passkeys across our company to provide a more secure and convenient sign-in experience.”

Passkeys have also been designed with user privacy in mind. When a user signs in with a passkey to their Workspace apps, such as a Gmail or Google Drive, the passkey can confirm that a user has access to their device and can unlock it with a fingerprint, face recognition, or other screen-lock mechanism. The user’s biometric data is never sent to Google’s servers or other websites and apps. For a closer look at how passkeys work under the hood, check out our technical blog post. 

Getting started

Starting today, we are gradually enabling passkeys for users and controls for Workspace administrators over the next few weeks.

Administrators can allow users in their organizations to skip passwords at sign-in using a passkey. By default, this setting is off, which means that users can’t skip passwords during sign-in, but can still create and use passkeys as a 2-Step Verification (2SV) method. To allow users to skip passwords, administrators can follow these simple steps in the Admin console. 

To start using passkeys instead of passwords, or as a 2SV method, in Google Workspace and Google Cloud, users can visit g.co/passkeys.