Google Ads To Require Passkey For Certain Sensitive Actions After July 15

The rise of credential‑theft attacks has forced ad platforms to rethink how users prove identity. Google’s decision to mandate passkeys reflects a broader industry shift toward password‑less authentication, which leverages public‑key cryptography stored on smartphones, tablets, or security keys. By eliminating reusable passwords, passkeys dramatically lower the attack surface for phishing, credential stuffing, and automated hijack tools that have plagued Google Ads accounts in recent months. This move also aligns Google with standards set by the FIDO Alliance and major OS vendors, reinforcing its reputation for security leadership.

Effective July 15, 2026, advertisers will need a registered passkey to perform actions such as changing billing information, adding users, or modifying conversion tracking settings—operations Google classifies as “sensitive.” The rollout is phased: users receive an email prompting them to create a passkey via the Google Account security page, and the system will block the listed actions until a passkey is present. Failure to comply could result in halted campaigns, delayed reporting, or even temporary account suspension. Best practice advice includes enrolling a passkey on multiple devices, backing up recovery credentials, and testing the new workflow in a sandbox account before the deadline.

Beyond immediate security gains, the policy signals a longer‑term transition to a password‑free advertising ecosystem. As more advertisers adopt passkeys, the industry can expect reduced fraud losses, smoother account management, and lower support costs for password resets. Competitors that lag in implementing similar safeguards may face higher exposure to hijack incidents and could lose trust among security‑conscious brands. For agencies and large advertisers, integrating passkey management into internal SOPs and training programs will become a critical component of digital‑marketing risk mitigation strategies.