Google Workspace Enhances Windows Login Security with FIDO2 Keys and Phone Passkeys
Google Workspace now supports FIDO2 security keys and phone passkeys for Windows login via Google Credential Provider for Windows (GCPW), bolstering organizational security.

Google has expanded the security capabilities of its Credential Provider for Windows (GCPW) by integrating support for FIDO2-compliant physical security keys and phone-based passkeys. This enhancement allows organizations using Google Workspace to enforce hardware-based two-factor authentication (2FA) directly at the Windows login screen, significantly strengthening account security for employees signing into their work devices.
GCPW, a free tool provided by Google, enables users to authenticate into Windows computers using their Google Workspace credentials, either as a replacement for or in conjunction with traditional Windows usernames and passwords. The new feature empowers administrators to mandate 2FA, ensuring that users must present a second verification factor beyond just their password when logging in.
Administrators can now leverage the Google Admin console to enforce this enhanced security measure. The process involves enabling an enforcement policy that requires users to have already registered a valid second-factor authentication method. Supported methods include Google Prompt, authenticator apps, physical security keys, and phone numbers, providing flexibility for organizations to choose the most suitable options for their user base.
Before activating the enforcement policy, administrators have the ability to review the enrollment status of their users, ensuring a smooth transition. The policy can be configured under the Security > Authentication > 2-Step Verification section within the Admin console. This allows for immediate application or scheduling for a future date, catering to different deployment strategies and organizational needs.
Once the policy is active, users will be prompted to complete the 2-step verification process after entering their password. This typically involves interacting with their registered security key or approving a prompt on their authenticated phone, thereby mitigating risks associated with compromised passwords or phishing attacks.
The integration of FIDO2 keys and passkeys aligns with industry best practices for modern authentication, moving away from less secure methods like SMS-based verification. This move is particularly critical in an era where sophisticated phishing campaigns and AI-driven attacks are becoming increasingly prevalent, making robust, phishing-resistant authentication methods a necessity.
This update signifies Google's ongoing commitment to enhancing the security posture of its Workspace ecosystem. By extending strong authentication options to the endpoint login experience, Google is providing organizations with more granular control and a higher level of assurance over access to sensitive corporate data and systems residing on Windows devices.
The ability to enforce hardware-backed authentication at the Windows login screen is a significant step forward for enterprise security. It directly addresses the challenge of securing user credentials in a hybrid work environment, where employees access company resources from various devices and locations, making robust identity verification paramount.