Google Workspace administrators now have a stronger option at the Windows sign-in screen. Google says its Credential Provider for Windows supports FIDO2-compliant physical security keys as a second factor, with nearby Bluetooth-connected mobile-device passkeys also supported.
This matters because the first login of the day is part of the identity boundary. A stolen or guessed password should not be enough to open a managed workstation and the services behind it. Hardware-backed second factors can make phishing and credential reuse harder.
Rollout still needs preparation. Confirm device eligibility, document enrolment, keep secure recovery methods, and test what happens when a key is lost. Strong authentication works best when the support process is as deliberate as the security policy.




