Google has confirmed another serious attack on Gmail accounts this week, prompting a renewed Gmail Passkey Security Update. This time, attackers exploited Google’s own infrastructure to compromise users. The company is now urging account holders to abandon passwords altogether and adopt passkeys for improved security. With phishing attacks targeting two-factor authentication codes and stolen credentials fueling mass data leaks, Google says the time to act is now.
Earlier this month, Google revealed that most of its users still rely solely on passwords. Despite growing threats, fewer than half of U.S. users enable two-factor authentication. Even when they do, SMS-based codes remain the most popular method. These are the easiest to intercept or misuse. Experts call SMS the weakest form of 2FA and urge users to move to stronger options.
Passkeys offer a solution. These phishing-resistant login tools rely on device-level authentication such as biometrics. With a passkey, there’s no password to steal or code to share. Instead, your device verifies your identity using built-in security methods like a fingerprint or face scan. That makes the Gmail Passkey Security Update more than a technical tweak—it’s a foundational shift in digital security.
According to Google, adding a passkey to your account doesn’t just protect Gmail. It secures everything linked to your Google sign-in, from YouTube and Drive to third-party apps. Google emphasizes that once passkeys are in place, they simplify login across many services while enhancing protection.
The urgency is growing due to recent reports about a massive 16 billion record data breach. Although this breach appears to be an aggregation of past leaks rather than a new attack, the data is real and dangerous. Kaspersky has cautioned that while the authenticity of the database is unverified, users should still take precautions immediately. Their advice: change passwords, but more importantly, adopt passkeys.
Some users hesitate due to concerns about Big Tech centralizing login control. While those concerns are valid, the security benefits are undeniable. Passkeys cannot be phished, reused, or transferred, which means attackers have far fewer opportunities to exploit users. Google insists that passkeys provide the safest, easiest login experience available today.
Kaspersky and other cybersecurity firms agree. They recommend enabling passkeys on platforms that support them, including Google, Microsoft, Apple, and Meta. As Google puts it, when you link a passkey to your account, you can use Sign in with Google across multiple services—reducing the number of accounts you need to manage.
Even if the data breach isn’t new, and even if you’re unsure whether your information was included, now is the time to act. Changing your password helps. But enabling a passkey ensures that even if someone tries to compromise your account, they won’t succeed without your physical device. That’s a level of protection passwords alone can’t offer.
READ: Google to End Support for Early Nest Thermostats, Halt New Nest Launches in Europe
