Nearly 2 billion people use the free Gmail email service, with more than 300 billion emails flowing through the service daily. No wonder, then, that your Google account, which unlocks the door to that Gmail data, is a prime target for criminal and state-sponsored hackers alike. Google’s Advanced Protection Program is available to high-risk users such as politicians, activists and journalists, and offers the most secure option for accessing your account. This has come at a cost, as hardware security keys have been required as the second-factor authentication method—until now. Google has finally announced that users enrolling in the APP can use passkeys instead of hardware security keys and use them as an all-in-one login method without the need for separate 2FA credentials.
Shuvo Chatterjee, the product lead of Google’s Advanced Protection Program, has confirmed that passkeys are now available as part of the APP enrolment process with immediate effect. The APP is the strongest level of Google Account protection, bringing extra safeguards against the most common of attacks that are often launched against high-risk Gmail users: phishing and malware. Truth be told, you don’t need to be in a high-risk occupation to be targeted this way, and as such the APP makes for a secure thinking solution for most users.
Eliminating the financial burden of purchasing not one but two hardware security keys to use during the enrolment process has meant that many users have shied away from taking this next-level security step. Google’s announcement means that the program has just opened up to a much larger user base. “Passkeys give high-risk users the option to rely on the ease and security that comes with using personal devices they already own,” Chatterjee said, “as opposed to another device or tool like a security key, for phishing-resistant authentication.”
Passkeys are another way to authenticate yourself to a service, an easier and more secure method than passwords according to Google. They are “phishing resistant so users are provided protection against things like fraudulent emails,” Chatterjee said, and come with that ease of use built-in as they rely on your facial scan, fingerprint or a PIN using a device, your smartphone for example, that you already own. Importantly, as far as usability goes, passkeys are used without the need for a password by default, although they can be used as a second factor in combination with one if desired. Unlike passwords, there is nothing to remember or type into your computer or mobile devices. They are also said to be more secure as they are tied to your device, your smartphone most commonly, and are never stored on servers where they might be susceptible to hacking or phishing attacks.
APP enrollment using a passkey couldn’t be easier. Just visit the APP start page and choose to enroll with a passkey when the option is offered. Although the passkey can used to replace both the password credentials and 2FA parts of login, Google does still require you to choose a recovery method should you need to regain access to your account. This can be any way of a telephone number, email, address separate passkey or hardware keys. A combination of these will be used in the process of regaining access to an account, which is necessarily tougher when part of the APP.