Google is making it easier for people to lock down their accounts with strong multifactor authentication by adding the option to store secure cryptographic keys in the form of passkeys rather than on physical token devices.
Google’s Advanced Protection Program, introduced in 2017, requires the strongest form of multifactor authentication (MFA). Whereas many forms of MFA rely on one-time passcodes sent through SMS or emails or generated by authenticator apps, accounts enrolled in advanced protection require MFA based on cryptographic keys stored on a secure physical device. Unlike one-time passcodes, security keys stored on physical devices are immune to credential phishing and can’t be copied or sniffed.
Democratizing APP
APP, short for Advanced Account Protection, requires the key to be accompanied by a password whenever a user logs into an account on a new device. The protection prevents the types of account takeovers that allowed Kremlin-backed hackers to access the Gmail accounts of Democratic officials in 2016 and go on to leak stolen emails to interfere with the presidential election that year.
Until now, Google required people to have two physical security keys to enroll in APP. Now, the company is allowing people to instead use two passkeys or one passkey and one physical token. Those seeking further security can enroll using as many keys as they want.
“We’re expanding the aperture so people have more choice in how they enroll in this program,” Shuvo Chatterjee, the project lead for APP, told Ars. He said the move comes in response to comments Google has received from some users who either couldn’t afford to buy the physical keys or lived or worked in regions where they’re not available.
As always, users must still have two keys to enroll to prevent being locked out of accounts if one of them is lost or broken. While lockouts are always a problem, they can be much worse for APP users because the recovery process is much more rigorous and takes much longer than for accounts not enrolled in the program.
Passkeys are the creation of the FIDO Alliance, a cross-industry group comprised of hundreds of companies. They’re stored locally on a device and can also be stored in the same type of hardware token storing MFA keys. Passkeys can’t be extracted from the device and require either a PIN or a scan of a fingerprint or face. They provide two factors of authentication: something the user knows—the underlying password used when the passkey was first generated—and something the user has—in the form of the device storing the passkey.
Of course, the relaxed requirements only go so far since users still must have two devices. But by expanding the types of devices needed, APP becomes more accessible since many people already have a phone and computer, Chatterjee said.
“If you’re in a place where you can’t get security keys, it’s more convenient,” he explained. “This is a step toward democratizing how much access [users] get to this highest security tier Google offers.”
Despite the increased scrutiny involved in the recovery process for APP accounts, Google is renewing its recommendation that users provide a phone number and email address as backup.
“The most resilient thing to do is have multiple things on file, so if you lose that security key or the key blows up, you have a way to get back into your account,” Chatterjee said. He’s not providing the “secret sauce” details about how the process works, but he said it involves “tons of signals we look at to figure out what’s really happening.
“Even if you do have a recovery phone, a recovery phone by itself isn’t going to get you access to your account,” he said. “So if you get SIM swapped, it doesn’t mean someone gets access to your account. It’s a combination of various factors. It’s the summation of that that will help you on your path to recovery.”
Google users can enroll in APP by visiting this link.