Prooflytics
Platform8 min read

Google Ads Passkeys for Sensitive Actions: What Changes July 15

Google Ads is mandating passkeys for sensitive account actions starting July 15, 2026, replacing password-based login for operations like billing changes and user management. For agencies managing multiple client accounts, this requires setup across every account before the deadline.

Digital authentication screen showing secure login with biometric verification for Google Ads account access

Google Ads Passkeys for Sensitive Actions: What Changes July 15

Google Ads is requiring passkeys for sensitive account actions starting July 15, 2026, replacing password-based login with biometric authentication -- fingerprint, face recognition, or device PIN -- for operations that carry the highest risk of unauthorized changes. The mandate is designed to block phishing and account hijacking, which represent the primary attack vector for unauthorized billing changes and campaign manipulation in Google Ads accounts. For agencies managing multiple client accounts, the deadline means configuring passkeys across every account before July 15 or facing blocked access to sensitive operations at the worst possible time.

Key takeaways

  1. Google Ads requires passkeys for sensitive account actions from July 15, 2026. Users without passkeys configured will be unable to complete those actions after the deadline.
  2. Passkeys use device biometrics (fingerprint, face ID) or device PIN instead of passwords. They are phishing-resistant by design -- the credential never leaves the user's device.
  3. Agencies managing multiple client accounts through a manager account (MCC) must configure passkeys for each team member independently. MCC-level passkey setup does not cascade to child accounts automatically.
  4. The window from now to July 15 is the setup window. After July 15, new passkey enrollment may require manual identity verification -- the same process as account recovery.
  5. Passkeys do not replace Google Ads login entirely. They are required specifically for sensitive actions within an already-authenticated session.

What passkeys are and why Google is mandating them

Passkey (FIDO2 authentication): A cryptographic login credential stored on a physical device (phone, laptop, security key) that uses biometric verification or PIN to authenticate. Unlike passwords, a passkey cannot be phished because the credential never transmits over the network -- the website only receives a signed challenge, not the credential itself.

Google Ads accounts have historically been targeted for phishing attacks that steal passwords and then make unauthorized changes: redirecting billing to a different payment method, draining budgets, inserting malicious ads, or adding unauthorized users with admin access. Password-based authentication is vulnerable because users can be tricked into entering credentials on a fake login page.

Passkeys eliminate this attack vector. Even if a user is tricked into visiting a fake Google Ads login page, no credential can be captured -- the passkey authentication process only completes on the device that holds the passkey, bound to the legitimate Google domain. For accounts managing significant ad spend, this is a meaningful security upgrade.

For agencies specifically, phishing attacks that target one team member's credentials can compromise every client account that team member has access to. Passkeys reduce the blast radius of a compromised credential to zero.

What counts as a sensitive action in Google Ads

Google has not published a complete enumeration of which actions require passkey verification, but sensitive actions in Google Ads generally include operations with direct financial or access implications:

  • Billing and payment changes: Adding or removing payment methods, changing billing accounts, adjusting credit card information.
  • User access management: Adding new users to an account, changing user access levels, removing existing users.
  • Account-level budget settings: Changes to monthly billing thresholds or spending limits at the account level (distinct from campaign-level budgets).
  • Significant account configuration changes: Operations that affect how the account operates at a structural level, separate from day-to-day campaign management.

Routine campaign management -- creating ads, adjusting bids, changing targeting -- is not expected to require passkey verification. The mandate targets operations where unauthorized access causes direct harm, not operational tasks.

Prooflytics

Stop stitching platform exports together

Every channel in one brief — plus the memory of what each one actually drove.

14 days free · no credit card

What the data shows about account security and passkeys

The ICP problem this creates for agencies: a typical performance marketing agency has multiple team members with access to dozens of client accounts. Password-based access management at this scale creates compounding risk -- each team member is a potential phishing target, and a single compromised credential can affect every account that team member accesses.

Industry data on advertising account compromises consistently shows billing fraud and unauthorized user addition as the two most common outcomes of Google Ads phishing attacks. The pattern is usually: attacker gains credentials via phishing, adds a new admin user they control, then changes payment methods or redirects campaigns before the legitimate owner detects the intrusion.

Passkeys address this specifically by making credential theft non-viable. A stolen passkey seed is useless without the physical device and biometric authentication -- meaning the attack vector reverts to physical device theft rather than remote phishing, which is operationally much harder at scale.

Prooflytics monitors Google Ads account health in the daily briefing, including changes to user access and billing configuration. When your account is connected, unexpected access changes or billing modifications trigger an alert in the next morning's brief -- which means anomalies surface within 24 hours rather than after unauthorized spend has already occurred.

How to set up passkeys for Google Ads before July 15

Step 1: Check your current passkey status. Navigate to your Google Account security settings (myaccount.google.com/security). Under "How you sign in to Google," check whether passkeys are already configured. If you use a modern Android or iOS device and have signed in with biometrics recently, a passkey may have been created automatically.

Step 2: Add a passkey if one is not present. In the same security settings section, select "Create a passkey" and follow the prompt. Google will use the device's biometric capability (fingerprint sensor, Face ID) or PIN to create the passkey. This process takes under two minutes.

Step 3: Configure passkeys on all devices you use for Google Ads access. Passkeys are device-specific by default. If you access Google Ads from both a laptop and a phone, create passkeys on both devices. A passkey created on your phone will not automatically authenticate your laptop session.

Step 4: For agencies -- audit team member passkey setup before July 14. Each team member who may need to perform sensitive actions in client accounts must configure their own passkeys. Contact each team member to confirm completion before July 14. Do not assume that one team member's passkey configuration covers the rest of the team.

Step 5: Configure backup authentication. Passkeys are tied to devices. If a team member loses their device, they will need backup authentication to recover account access. Ensure that recovery options (backup codes, secondary verified phone numbers) are configured for each team member's Google Account before the deadline.

Agency checklist: passkeys before July 15

Account audit: List every Google Ads account your agency manages and every team member with access to sensitive actions in those accounts.

Team notification: Notify all team members of the July 15 deadline. Provide the setup link (myaccount.google.com/security) and the specific steps.

Deadline confirmation: Set a team-wide deadline of July 7 for passkey setup -- one week before the Google deadline -- to allow time to troubleshoot issues before July 15.

Client communication: Clients with their own team members accessing accounts they manage alongside your agency need to configure passkeys independently. Send a brief notification to client contacts who have admin access.

Recovery options: Verify that every team member has backup authentication (recovery phone or backup codes) configured. A team member who loses a device after July 15 without backup authentication will be unable to perform sensitive actions until account recovery is complete -- a process that can take several business days.

The same rigor that applies to validating Google Ads API migration before the v20 sunset applies here: a deadline missed under pressure is a crisis. A deadline met one week early is a routine upgrade.

Bottom line

  • Google Ads requires passkeys for sensitive account actions from July 15, 2026. Users without passkeys cannot complete those actions after the deadline.
  • Passkeys (device biometrics or PIN) eliminate phishing as an attack vector for the most high-risk account operations.
  • Agencies must audit every team member with sensitive action access and confirm passkey setup before July 14 -- one week before the deadline.
  • API-based workflows are not affected. Passkeys apply to interactive user sessions only.
  • See independent reviews of marketing platforms with Google Ads integration and security features on G2.

Frequently asked questions

What happens if I have not set up a passkey by July 15, 2026?+

After July 15, attempting to perform a sensitive account action will prompt you to set up a passkey before proceeding. If you are on a device that supports passkeys, this prompt should allow immediate enrollment. If you are on a device that does not support passkeys (an older browser or operating system), you may be unable to complete sensitive actions from that device until you switch to a compatible device or set up a hardware security key.

Can I use a physical security key (YubiKey) instead of biometrics?+

Yes. Google supports FIDO2-compatible hardware security keys as a passkey equivalent. A YubiKey or similar device can be registered as a passkey. For security-conscious agencies, hardware keys offer an advantage over device-biometric passkeys because they can be physically stored separately from the account user -- useful for shared admin accounts where individual biometrics cannot be used.

Will passkeys affect API access to Google Ads?+

Passkey requirements apply to interactive user sessions, not API access. Automated workflows using Google Ads API service accounts or OAuth tokens are not affected. Passkeys are a human-authentication layer, not a machine-authentication layer. If your scripts, bid automation tools, or data connectors use the Google Ads API with a service account, they are unaffected by the July 15 passkey mandate.

What if my client account admin uses a shared login?+

Shared logins (one email and password used by multiple team members) are against Google's terms of service and are especially problematic with passkey requirements. A passkey is device-specific -- a shared login would mean the team member who created the passkey on their device is the only person who can perform sensitive actions. The correct solution is to configure individual Google Workspace accounts for each team member and grant each one the appropriate access level within Google Ads.

Does my agency's manager account (MCC) passkey configuration cover client accounts?+

No. Passkeys are tied to individual Google Accounts, not to MCC hierarchies. Each team member who accesses client accounts from your MCC must configure passkeys on their individual Google Account. There is no MCC-level passkey setting that cascades to child accounts.

Prooflytics

Stop stitching platform exports together

Every channel in one brief — plus the memory of what each one actually drove.

14 days free · no credit card

Continue reading