In June 2023 Google started rolling out the use of passkeys in Google Workspace as a simpler and safer alternative to passwords when signing into Google Accounts.
But what are Passkeys?
Passkeys are a simple and secure alternative to passwords. With a passkey, you sign into accounts with your fingerprint, face scan, or device screen lock, like a PIN, rather than with a password. Essentially, every time you unlock your phone with your fingerprint, or use face scan to unlock your laptop, you’re using a form of passkey to get access to that device.
By allowing for the use of passkeys in Google Workspace, Google is hoping to increase security of access to Google accounts – something that all small businesses should be aware of given the average cost per cybercrime reported to the ACSC rose to over $39,000 for small businesses In the 2021-2022 financial year.
Why use passkeys rather than passwords?
Well firstly, passwords themselves are not viewed as a good cybersecurity measure anymore given how easily they can be cracked by today’s sophisticated technology.
The Australian Cyber Security Centre recommends instead the use of passphrases – essentially four or more random words which are easy for humans to remember but difficult for computers to crack. Passphrases are most effective when they’re
- used with multi-factor authentication (sometimes called 2-step authentication)
- unique – not a famous phrase or lyric and not re-used
- longer – phrases are generally longer than words
- complex – naturally occurring in a sentence with uppercase, symbols and punctuation.
An example of a passphrase might be RunningMoldyBeachShores – something that’s fairly easy to remember but will take 438 years to crack apparently!
Secondly, even passphrases are only as good as the humans that use them and the technology that we use to remember them. Storing passphrases in a password manager may seem like a great idea… until that password management system is hacked.
Or of course, if you’re using the same passphrase for every site and one site gets hacked or sharing your passphrase with other people then that passphrase is also going to be pretty useless.
Hence why Google (and other large IT companies like Apple and Microsoft) are supporting the use of passkeys – unlike passwords or passphrases, they can’t be written down or shared with other people and they work with all major platforms and devices.
Using passkeys in your small business Google Workspace setup
Although Google originally only rolled out passkeys for personal use, they are now trialling them as an alternative to entering a password when logging into Google Workspace or as a type of multi-factor authentication.
There’s two steps to setting up the use of passkeys in this way:
- Turning the feature on in Admin Console
- Ensuring your users add a passkey to their Google account.
Turning the feature on
- Log into your Google Admin console (at admin.google.com)
- Go to Menu > Security > Authentication > Passwordless.
- Click Skip passwords.
- If you want to allow users to skip password challenges, check the Allow users to skip passwords at sign-in by using passkeys box.
- Click Save.
Telling users
Once the feature has been enabled users need to go to http://g.co/passkeys to create a passkey. They should also be provided with this support article on how to sign in with a passkey rather than a password.
If they don’t set up a passkey after the feature has been turned on, then they’ll still be able to log into Google Workspace but obviously the benefits of using a passkey will not be present in that case! So it’s strongly recommended that all users move to a passkey system as soon as possible.
Using it for real
Once the feature has been enabled and a user (including you as the Administrator!) has set up a passkey, you’ll see this type of screen after entering your username:
Once the user clicks on Continue they’ll be given the option to verify their passkey and from there, they’ll sign directly into Google Workspace.
Want more personalised help?
I hope this article was of assistance to you, but if you want more personalised help with your Google Workspace issue then why not get in touch?
One reply on “Improve your Google Workspace security with passkeys”
[…] setting up either Google Prompts or the Google Authenticator (though at the moment I am using Passkeys in my own MFA […]