Google has added the ability to store safe cryptographic keys as passkeys instead of on physical token devices, making it simpler for users to secure their accounts with robust multifactor authentication.
Introduced in 2017, Google's Advanced Protection Program demands multifactor authentication (MFA) in its strongest version. A secure physical device containing cryptographic keys is required for MFA for accounts enrolled in advanced protection, unlike many other versions of MFA that rely on one-time passcodes provided through SMS or emails or generated by authenticator applications. Security keys kept on physical devices, as opposed to one-time passcodes, are uncopyable and unsniffable, making them resistant to credential phishing.
Democratization of the APP
The Advanced Protection Program, or APP, mandates that a password be entered in addition to the key each time a user signs into an account on a different device. The safeguard thwarts the kinds of account takeovers that let hackers sponsored by the Kremlin to break into Democratic officials' Gmail accounts in 2016 and then release stolen emails to sabotage last year's presidential race.
Before now, registering for an APP on Google required possessing two physical security keys. Instead, users can now utilize two passkeys or one passkey plus one physical token, according to the business. Individuals who desire additional security can register with as many keys as they like.
APP project lead Shuvo Chatterjee told Ars, "We're expanding the aperture so people have more choice in how they enroll in this program." According to him, the decision was made in response to feedback Google had from certain customers who either couldn't afford to purchase the actual keys or lived or worked in areas where they are unavailable.
Users still need to have two keys in order to enroll and avoid having their accounts locked in the case that one of them is misplaced or broken. Lockouts are never good, but for APP users in particular, they can be considerably worse because the recovery process is more difficult and takes longer than it does for accounts that are not part of the program.
The FIDO Alliance, an alliance of hundreds of businesses from many industries, is the organization that created passkeys. They can be kept in the same kind of hardware token that stores MFA keys or locally on a device. Passkeys need to be scanned with a fingerprint or face and cannot be removed from the device. They offer two forms of authentication: one that is known by the user (the original password that was used to produce the passkey) and one that is held by the user (the passkey-storing device). Naturally, the loosened restrictions are just temporary, as users are still required to have two devices. However, since many people already own a phone and computer, APP becomes more accessible by requiring a wider range of devices, according to Chatterjee.
“If you’re in a place where you can’t get security keys, it’s more convenient,” he explained. “This is a step toward democratizing how much access [users] get to this highest security tier Google offers.”
In spite of the heightened attention around the APP account recovery process, Google is reiterating its advice to users to include a backup phone number and email address.
“The most resilient thing to do is have multiple things on file, so if you lose that security key or the key blows up, you have a way to get back into your account,” Chatterjee said. He’s not providing the “secret sauce” details about how the process works, but he said it involves “tons of signals we look at to figure out what’s really happening.
“Even if you do have a recovery phone, a recovery phone by itself isn’t going to get you access to your account,” he said. “So if you get SIM swapped, it doesn't mean someone gets access to your account. It’s a combination of various factors. It's the summation of that that will help you on your path to recovery.”
Fenbo Holdings Limited, an established original eq..
Speaking Thai to Google is now possible for people..