Phishing attacks continue to grow in their scale and sophistication by taking advantage of security weaknesses in passwords. Beyond the password: Google Workspace brings a major security innovation to customers with passkeys For example:
1. Over 60% of data breaches in 2021 involved stolen credentials or phishing
2. Data breaches caused by phishing cost organizations $4.91 million on average in 2022
3. Phishing attacks grew 61% in 2022, reaching 255 million in a six-month period
Over the past decade Google has been at the forefront of the battle against phishing and password-related threats, including with our automated defenses powered by Google AI. We championed the development of physical security keys and their standardization under the FIDO Alliance. As a generally simpler and more secure alternative to passwords, passkeys represent the culmination of this work to bring phishing-resistant technology to billions of people worldwide. In early May, we made passkeys available as an additional sign-in option for personal Google Accounts. Starting today, in an open Beta, more than 9 million organizations can allow their users to sign in to Google Workspace and Google Cloud accounts using passkeys instead of passwords.
Passkeys introduce meaningful security and usability benefits to users, and we’re thrill to be the first major public cloud provider to bring this technology to our customers — from small businesses and large enterprises to schools and governments. While users can still continue using passwords to sign in to their work and personal Google Accounts, passkeys can offer a simpler and more secure alternative and can reduce the impact of phishing and other social engineering attacks.
What are passkeys?
Passkeys are a new, passwordless sign-in method that can offer a convenient and secure authentication experience across websites and apps, allowing users to sign in with a fingerprint, face recognition, or other screen-lock mechanism across phones, laptops, or desktops. Passkeys are based on an industry standard and available across popular browsers and operating systems that people use every day, including Android, ChromeOS, iOS, macOS, and Windows. Unlike passwords, passkeys don’t need to remember or type and cannot be written down or accidentally given to an adversary. Passkeys are simply easier to use.
Passkeys are based on the same public key cryptographic protocols that underpin physical security keys, such as the Titan Security Key, and therefore can be resistant to phishing and other online attacks. In fact, Google research has shown that security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords.
Snap Inc. has already leveraged passkeys to help reduce the burden of password management and strengthen security for their employees: “Partnering with the Google Workspace team to move from passwords to passkeys reduces the risk of password leakage and account takeovers of our employees,” said Jim Higgins, CISO, Snap Inc. “Our Corporate Security team is deepening our security partnership with Google and is excited to expand the adoption of passkeys across our company to provide a more secure and convenient sign-in experience.”
Passkeys have also been design with user privacy in mind. When a user signs in with a passkey to their Workspace apps, such as a Gmail or Google Drive, the passkey can confirm that a user has access to their device and can unlock it with a fingerprint, face recognition, or other screen-lock mechanism. The user’s biometric data is never sent to Google’s servers or other websites and apps.