What is Google Passkey Login?

Google has recently released Passkey authentication in Open Beta to Google Workspace accounts. This feature provides strengthened protection against threats such as phishing attacks while also making it more convenient to log in. Enrolled users will enter their Google account email addresses and be prompted to complete the authentication process on a device registered to their account as a Passkey.

Sign-in prompt with passwordless authentication.

Advantages over passwords, and using password authentication when needed

Passkey authentication is the first step toward passwordless authentication with Google Workspace accounts. Once enabled, Google users can sign in to accounts with a face scan, finger print, PIN or the device screen lock on the Passkey device. Enabling passwordless authentication does not remove the password authentication method. A major advantage with Passkey authentication is that except in certain circumstances, users will not need to remember or even copy and paste their account password from a password manager. If a Passkey device is lost or inaccessible where sign-in needs to occur, the user can click the ‘Try Another Way’ option to fall back to the password and 2-step verification method. This option is useful in cases such as signing into a Google account on a virtual machine or a remote device.

Another way for admins to think about this feature is that once a user enrolls a Passkey to their Google Account, each time a user needs to authenticate to Google Workspace a prompt will be sent to their enrolled device. The enrolled device is secured with a password, or another type of screen lock as a prerequisite of being a passkey. The user will be able to access their account if they have the passkey device in their possession and can unlock the device with the configured screen lock mechanism that is securing the device. This offsets the need to enter the Google account password because a second factor device is used as a passkey and the device is secured with a screen lock by the user before passwordless login functionality can be used.

As of the time of writing, a Passkey authentication is not an option when adding a Google account to a mobile device, and passkeys may not be possible to use depending on your operating system and browser when using private (incognito mode or equivalent) browsing modes.

Try Another Way prompt to sign in with a password and 2-step verification

Requirements:

1. Admins must allow skipping passwords at sign-in via Admin Console control.
2. Google Workspace accounts must use Google as the identity provider. Google Passkey Authentication does not apply when users sign in with a third-party identity provider.
3. Users’ computers and mobile devices need a supported browser such as:
   • Chrome 109 or up
   • Safari 16 or up
   • Edge 109 or up
4. Passkeys can be created on these devices:
   • A laptop or desktop that runs at least Windows 10, macOS Ventura, or ChromeOS 109
   • A mobile device that runs at least iOS 16 or Android 9
   • A hardware security key that supports the FIDO2 protocol
5. To create and use a Passkey, a device must have a screen lock enabled, as well as Bluetooth if you want to use a passkey on a mobile device to sign in on another computer.

How to enable the feature and enroll passkeys

Google Workspace Admins must enable the Passwordless authentication feature via the Google Workspace Admin Console via organizational units (OUs) or via groups. There will be a short propagation time between allowing this authentication mechanism to be used and when users will see the option to enable passwordless sign-in.

Once passwordless authentication is enabled via the admin console, users can navigate to https://g.co/passkeys to view, create and remove Passkeys from their accounts. As a general security measure, passkeys should only be created on devices on non-shared devices because anyone who can unlock the passkey device will be able to log in to the Google accounts associated with the device. Passkey login cannot be enforced at the time, but it can be made available to users as an option to access their Google account.

Once a Passkey is enrolled, users opt into the passkey-first, password-less sign-in experience. There is a user-level control at https://myaccount.google.com/security to choose to skip password authentication when possible, and sign in with just a passkey or device prompt.

Toggle for skipping password when possible

Conclusion

The new passwordless authentication control for Google accounts is now available in open beta for both personal and corporate Google accounts. Enabling this feature can increase account security and streamline the sign-in experience. While Google is one of the many cloud service providers providing this type of authentication, other cloud service providers that have implemented passwordless login are detailed https://passkeys.directory/ (maintained by 1Password.com).