Google updates Advanced Protection Program
Nearly 2 billion people use the free Gmail email service, with over 300 billion emails flowing through the service every day. It’s no wonder then that your Google Account, which unlocks the door to that Gmail data, is a prime target for criminals and state-sponsored hackers. Google’s Advanced Protection Program is available to high-risk users like politicians, activists, and journalists, and offers the most secure option for accessing your account. This has come at a price, as hardware security keys have been required as a second-factor authentication method up until now. Google has finally announced that users who opt into the APP will be able to use passwords in place of hardware security keys, using them as an all-in-one login method without the need for separate 2FA credentials.
Passkeys can now replace hardware keys and 2FA from Google’s advanced security program
Shuvo Chatterjee, Product Lead for Google’s Advanced Protection Program, has confirmed that Passkeys are now available as part of the APP enrollment process, effective immediately. The APP is the strongest level of Google Account security, and provides additional protection against the most common attacks often launched against high-risk Gmail users: phishing and malware. To be fair, you don’t have to be in a high-risk profession to be attacked in this way, and as such, the APP is a safe bet for most users.
Signing up for the APP is easy and recommended
Removing the financial burden of purchasing not one but two hardware security keys to use during the enrollment process has made many users reluctant to take this next security step. Google’s announcement means the program has just been opened up to a much wider user base. “Passkeys give high-risk users the option to rely on the convenience and security of using personal devices they already own,” Chatterjee said, “as opposed to using another device or tool like a security key for phishing-resistant authentication.”
What is an access code and why would you use one?
Passkeys are another way to authenticate yourself to a service, a simpler and more secure method than passwords, according to Google. They’re “phishing-resistant, so users are protected from things like fraudulent emails,” Chatterjee said, and come with that ease of use built in, since they rely on your face scan, fingerprint or a PIN using a device, such as your smartphone, that you already own. Importantly, in terms of usability, passkeys default to use without the need for a password, though they can be used as a second factor in conjunction with a password if desired. Unlike passwords, you don’t have to remember or type anything into your computer or mobile device. They’re also said to be more secure, since they’re tied to your device, usually your smartphone, and never stored on servers where they could be vulnerable to hacking or phishing attacks.
APP sign-up with a password is very simple. Simply go to the APP homepage and choose to sign up with a password when the option is presented. While the password can be used to replace both the password data and 2FA parts of the sign-up, Google still requires that you choose a recovery method if you need to regain access to your account. This can be anything from a phone number, email address, address, separate password, or hardware keys. A combination of these is used in the process of regaining access to an account, which is necessarily more difficult as part of the APP.