Allow users to skip passwords at sign-in

As your organization's administrator, you can allow users to skip password sign-in challenges and instead use a passkey that covers first and second-factor authentication. With passkeys, your users can sign in to their managed Google Account using their phone, a security key, or their computer’s screen lock.

About passkeys

  • Authentication requires biometric authentication, such as a fingerprint or facial recognition, or a PIN or pattern on a device. The screen lock only unlocks the passkey locally and does not share biometric information with Google or other third parties.
  • To allow users to skip passwords, you need to turn on skip passwords in the Google Admin console. Your users then need to turn on skip passwords and add a passkey to their account.
  • Your users don’t need to be enrolled into 2-Step Verification (2SV) to use passkeys to skip passwords at sign-in. 

Advantages of passkeys

  • Passkeys use phishing-resistant technology and are simpler and more secure than passwords.
  • To use a passkey, users can use a familiar pattern to unlock their device.
  • Platforms sync passkeys using Google Accounts. 
  • Instead of remembering passwords for different sites, users can use passkeys.

Turn skip passwords on or off for users

To allow users to skip password challenges and use a passkey, you need to turn on skip passwords. Then, tell users to turn on skip passwords and add a passkey to their account. If you turn this setting on for a user, the option to add a security key directly will no longer be available in their account. Their account will only permit the creation of passkeys. As a result, the only way for users to add a new security key is by creating a passkey on a security key. Any security key added through this passkey creation process that does not support passwordless sign-in can be used for 2SV only. The user needs to sign in with their password when using this key.

Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2.  Go to Menu and then Security > Authentication > Passwordless.

    Requires having the Security settings administrator privilege.

  3. Click Skip passwords.
  4. (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
  5. To allow users to skip password challenges, check the Allow users to skip their password and authenticate with a passkey box.
  6. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit

  7. If you turned on skip passwords, users need to turn on skip passwords and add a passkey to their account. For the steps, go to Sign in with a passkey instead of a password.

If this setting is turned off after a user turned on skip password and added a passkey to their account, they will no longer be able to skip a password challenge. However, they can still be prompted for a passkey to use as a second step in 2SV.

Restrict passkeys to hardware security keys (beta)

To restrict passkeys to hardware security keys only and prevent users from adding passkeys on other devices or platforms:

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2.  Go to Menu and then Security > Authentication > Passwordless.

    Requires having the Security settings administrator privilege.

  3. Click Passkey restrictions.
  4. Select Allow passkeys on hardware security keys only.
    Important: If you choose to only allow passkeys on security keys, users with passkeys stored on other devices (like phones or computers) will not be able to use those passkeys anymore. Before enabling this setting, make sure that users have security keys enrolled. To see this in the Admin console, go to Reportingand thenUser Reportsand thenSecurity and check the status of the Security keys enrolled column.
  5. Click Save.

Monitor passkey usage

Supported editions for this feature: Frontline Standard and Frontline Plus; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition

Use the security investigation tool (SIT) to find the number of users who enrolled a passkey, used passkeys to skip passwords at sign-in, and used passkeys as a second step for 2SV.

Users who enrolled a passkey

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and then Security > Security center > Investigation tool.

    Requires having the Security center administrator privilege.

  3. From the Data source menu, select User log events.
  4. Click Add condition.
  5. From the Attribute menu, select Event, and ensure that the condition is set to Is (the default).
  6. From the Event menu, select Passkey enrolled
  7. Click Group results
  8. From the Attribute menu, select User.
  9. Click Search.
    The result contains the number of users who enrolled a passkey at least once.

Users who used passkeys to skip passwords at sign-in

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and then Security > Security center > Investigation tool.

    Requires having the Security center administrator privilege.

  3. From the Data source menu, select User log events.
  4. Click Add condition.
  5. From the Attribute menu, select Challenge type, and ensure that the condition is set to Is (the default).
  6. From the Challenge type menu, select Passkey.
  7. Click Add condition to add another condition, and ensure that the operator is set to AND (the default).
  8. From the Attribute menu, select Event, and ensure that the condition is set to Is (the default).
  9. From the Event menu, select Successful login.  
  10. Click Group results
  11. From the Attribute menu, select User.
  12. Click Search.
    The result contains the number of users who used passkeys to skip passwords at sign-in.

Users who used a passkey as a second step for 2SV

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and then Security > Security center > Investigation tool.

    Requires having the Security center administrator privilege.

  3. From the Data source menu, select User log events.
  4. Click Add condition.
  5. From the Attribute menu, select Challenge type, and ensure that the condition is set to Is (the default).
  6. From the Challenge type menu, select Passkey.
  7. Click Add condition to add another condition, and ensure that the operator is set to AND (the default).
  8. From the Attribute menu, select Event, and ensure that the condition is set to Is (the default).
  9. From the Event menu, select Login verification.  
  10. Click Group results
  11. From the Attribute menu, select User.
  12. Click Search.
    The result contains the number of users who used a passkey as a second step for 2SV.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Main menu
1749499460778713107
true
Search Help Center
true
true
true
true
true
73010
false
false
false
false