Google is making it easier for people to secure their accounts with strong multi-factor authentication by adding the option to store secure encryption keys in the form of passkeys instead of physical token devices.
Google Advanced Protection Program, foot In 2017, the strongest form of multi-factor authentication (MFA) is required. While many forms of MFA rely on one-time passcodes sent via SMS, email, or generated by authentication apps, accounts enrolled in Advanced Security require MFA based on encryption keys stored on a secure physical device. Unlike one-time passcodes, security keys stored on physical devices are immune to credential phishing and cannot be copied or sniffed.
democratic application
The Advanced Protection Program (APP), short for Advanced Protection Program, requires the key to be accompanied by a password whenever a user logs into an account on a new device. The protection prevents the kind of account takeover that allowed Kremlin-backed hackers to access the Gmail accounts of Democratic officials in 2016 and then leak stolen emails to interfere in that year’s presidential election.
Until now, Google required people to have two physical security keys to sign up for the app. Now, the company is letting people use two passkeys or one passkey and one physical token. Those looking for more security can sign up with as many keys as they want.
“We’re working on expanding the slot so that people have more choice in how they enroll in this program,” Shuvo Chatterjee, the APP project lead, told Ars. He said the move comes in response to feedback Google received from some users who couldn’t afford physical keys or lived or worked in areas where keys weren’t available.
As always, users will still need to have two registration keys to avoid getting locked out of their accounts if one of the keys is lost or damaged. While lockouts are always a problem, they can be much worse for app users because the recovery process is much more rigorous and takes much longer than for accounts not registered in the program.
Passkeys are the creation of the FIDO Alliance, a cross-industry group made up of hundreds of companies. They are stored locally on a device and can also be stored in the same type of hardware token that stores MFA keys. Passkeys cannot be extracted from the device and require either a PIN or a fingerprint or facial scan. Passkeys provide two factors of authentication: something the user knows — the primary password used when the passkey was first created — and something the user has — in the form of the device that stores the passkey.
Of course, the relaxed requirements don’t go beyond that limit, as users still have to have two devices. But by expanding the types of devices required, the apps become more accessible, as many people already have a phone and a computer, according to Chatterjee.
“If you’re in a place where you can’t get security keys, it’s more convenient,” he explained. “This is a step toward democratizing the amount of access to information.” [users] Go to the highest level of security Google has to offer.
Despite the increased scrutiny surrounding the APP account recovery process, Google is renewing its recommendation for users to provide a phone number and email address as a backup.
“The most you can do is keep multiple things on file, so if you lose your security key or your key blows up, you have a way to get back into your account,” Chatterjee said. He didn’t provide the “secret sauce” details of how the process works, but said it involves “tons of signals that we look at to figure out what’s really going on.”
“Even if you have a recovery phone, the recovery phone itself won’t give you access to your account,” he said. “So if your SIM card is swapped, that doesn’t mean someone can access your account. It’s a combination of different factors. It’s the sum of those factors that will help you on your path to recovery.”
Google users can sign up for the app by visiting this link.
“Web specialist. Lifelong zombie maven. Coffee ninja. Hipster-friendly analyst.”