Barnes TechQuick PSA about Google Workspace passkeys for Google Admins -
Passkeys are a form of passwordless authentication that enhances security and simplifies the login process for users. Unlike passwords, which can be phished, guessed, or stolen, passkeys rely on cryptographic key pairs (a public key and a private key) to verify a user’s identity. This method is inherently more secure because the private key, which is necessary for authentication, never leaves the user’s device. Passkeys offer a more secure and user-friendly alternative to passwords. I have been using passkeys everywhere I can since they launched, and they are fantastic.
Google is one of the companies that is working on the Passkey standard, and one of the largest early adopters. In June 2023, they announced Google Workspace would be adding support for Passkeys. As part of a company that is a Google partner I have a ton of Google accounts, and this was a huge thing for me. It has been excellent!
Today, on the MacAdmin Slack channel, another admin discovered that for Google Workspace, there is no way for admins to reset or remove passkeys for users. You apparently can’t see if a user has one set up, either. You do have the ability to block them domain wide, org unit wide, or to specific groups.
This leads to some potentially big problems. It’s not uncommon when organizations let someone go to just reset their password, sign in sessions, app passwords, etc. so that forwarding works, or a manager can have delegate access. The problem is that this apparently does not remove or reset the passkeys. Passkeys also don’t show up anywhere in the user’s security settings. This means a terminated employee could potentially still sign in if you have “Allow users to skip passwords at sign-in by using passkeys”. I spoke to Google Support, and according to the person I spoke to, this appears to be known.
I understand this feature is in “beta”, but this seems like a pretty big oversight. Passkeys are presented as a highly secure alternative for authentication, so this kind of thing feels like a pretty big oversight. At the very least, Google should be very clear when enabling this feature that this is something to consider.
As a work around, it does seem that putting a user in a group or org that has passkeys disabled does seem to remove them, so you can create an off-boarding group or OU with that disabled, and add that to your off-boarding procedures, but hopefully this is something Google will resolve in the near future.