Getty Images
Google is making it easier for people to lock down their accounts with strong multifactor authentication by adding the option to store secure cryptographic keys in the form of passkeys rather than physical token devices.
Google’s Advanced Protection Program, introduced in 2017, requires the strongest form of multi-factor authentication (MFA). While many forms of MFA rely on one-time passwords sent via SMS or email or generated by authenticator applications, accounts enrolled in Advanced Protection require MFA based on cryptographic keys stored on a secure physical device. Unlike OTPs, security keys stored on physical devices are immune to credential phishing and cannot be copied or sniffed.
Democratizing PPA
APP, short for Advanced Protection Program, requires the key to be paired with a password every time a user logs into an account on a new device. The protection prevents the kinds of account takeovers that allowed Kremlin-backed hackers to break into the Gmail accounts of Democratic officials in 2016 and go on to reveal stolen emails to interfere in that year’s presidential election.
Until now, Google required people to have two physical security keys to sign up for APP. Now, the company is allowing people to use two passkeys or a key and a physical token instead. Those looking for further security can register using as many keys as they want.
“We’re expanding the opening so that people have more choices about how to enroll in this program,” Shuvo Chatterjee, project manager for APP, told Ars. He said the move comes in response to feedback Google has received from some users who either couldn’t afford to buy physical keys or lived or worked in regions where they aren’t available.
As always, users must still have two keys to register to prevent account lockout if one is lost or broken. While lockouts are always a problem, they can be much worse for APP users because the recovery process is much more rigorous and takes much longer than for accounts that are not enrolled in the program.
Passkeys are the creation of the FIDO Alliance, a cross-industry group of hundreds of companies. They are stored locally on a device and can also be stored in the same type of hardware token that stores MFA keys. Access keys cannot be retrieved from the device and require a PIN code or a fingerprint or face scan. They provide two factors of authentication: something the user knows—the master password used when the password was first created—and something the user has—in the form of the device that stores the passkey.
Of course, the relaxed requirements only go so far as users still need to have two devices. But by expanding the types of devices needed, APP becomes more accessible since many people already have a phone and computer, Chatterjee said.
“If you’re in a place where you can’t get security keys, it’s more convenient,” he explained. “This is a step towards the democratization of access [users] reach this higher level of security that Google offers.”
Despite the increased scrutiny involved in the recovery process for APP accounts, Google is renewing its recommendation that users provide a backup phone number and email address.
“The most resilient thing to do is to have multiple things on file, so if you lose that security key or the key breaks, you have a way to get back into your account,” Chatterjee said. He’s not giving the “secret sauce” details of how the process works, but he said it involves “tons of signals that we look at to figure out what’s really going on.
“Even if you have a recovery phone, a recovery phone by itself will not give you access to your account,” he said. “So if your SIM is changed, it doesn’t mean that someone has access to your account. It is a combination of different factors. It’s the epitome of what will help you on your road to recovery.”
Google users can register for the APP by visiting this link.