Getty Images
Google is making it easier for users to lock down their accounts with strong multi-factor authentication by adding the option to store secure encryption keys in the form of a passkey rather than on a physical token device.
Google’s Advanced Protection Program, Introduced Security measures introduced in 2017 require the strongest multi-factor authentication (MFA). While most MFA relies on one-time passcodes sent via SMS, email, or generated by an authenticator app, accounts enrolled in Advanced Protection require MFA based on cryptographic keys stored on a secure physical device. Unlike one-time passcodes, security keys stored on a physical device are not susceptible to credential phishing attacks and cannot be copied or intercepted.
Democratizing APPs
APP, short for Advanced Protection Program, requires users to enter their key and password every time they log into their account on a new device, and this protection is meant to prevent account takeovers like the one that allowed Kremlin-backed hackers to access accounts. Gmail accounts of Democratic Party members In 2016, he leaked stolen emails to interfere in that year’s presidential election.
Previously, Google required two physical security keys to register with the APP. Now, the company allows the use of two passkeys, or one passkey and one physical token. Those who want more security can register with as many keys as they need.
“We’re broadening its reach to give people more options for how they can enroll in the program,” Shuvo Chatterjee, project lead for APP, told Ars. He said the move was made in response to comments Google received from some users who couldn’t afford to buy a physical key or who live or work in areas where physical keys aren’t available.
As always, users must enroll two keys or risk being locked out of their account if one of the keys is lost or damaged. Lockouts are always an issue, but they can be even more so for APP users, as the recovery process is much more rigorous and time-consuming than for accounts not enrolled in the program.
The passkey is Creation The FIDO Alliance is a cross-industry group of hundreds of companies. Passkeys can be stored locally on the device or on the same type of hardware token that stores MFA keys. Passkeys cannot be extracted from the device and require a PIN or fingerprint or face scan. A passkey provides two factors of authentication: something you know (the underlying password used when the passkey was originally generated) and something you have (the device that stores the passkey).
Of course, there are limits to how far the requirement can be relaxed, as users still need to own two devices, but Chatterjee said expanding the types of devices required will make the app more accessible to many people who already have a phone and a computer.
“It’s more convenient if you’re in a location where you can’t get a security key,” he explained. “It’s a step towards democratizing access. [users] This will give you the highest level of security that Google offers.”
Despite increased scrutiny around the APP account recovery process, Google is once again encouraging users to provide their phone numbers and email addresses as backups.
“The most resilient way is to have multiple pieces of information on file, so if you lose your security key or it gets corrupted, you have a way to get back into your account,” Chatterjee said. He wouldn’t reveal any “secret sauce” details about how the process works, but said it involves “looking at a ton of signals to get a sense of what’s really going on.”
“Even if you have a recovery phone, that alone won’t give you access to your account,” he says. “So just because your SIM has been swapped doesn’t mean someone can access your account. It’s a combination of factors, the sum of which will help you on your path to recovery.”
Google users can register for the APP at: This link.
