Updated 07/12 with additional details of the Advanced Protection Program.
Nearly 2 billion people use the free Gmail email service, with more than 300 billion emails flowing through the service daily. No wonder, then, that your Google account, which unlocks the door to that Gmail data, is a prime target for criminal and state-sponsored hackers alike. Google’s Advanced Protection Program is available to high-risk users such as politicians, activists and journalists, and offers the most secure option for accessing your account. This has come at a cost, as hardware security keys have been required as the second-factor authentication method—until now. Google has finally announced that users enrolling in the APP can use passkeys instead of hardware security keys and use them as an all-in-one login method without the need for separate 2FA credentials.
Shuvo Chatterjee, the product lead of Google’s Advanced Protection Program, has confirmed that passkeys are now available as part of the APP enrollment process with immediate effect. The APP is the strongest level of Google Account protection, bringing extra safeguards against the most common of attacks that are often launched against high-risk Gmail users: phishing and malware. Truth be told, you don’t need to be in a high-risk occupation to be targeted this way, and as such the APP makes for a secure thinking solution for most users.
Eliminating the financial burden of purchasing not one but two hardware security keys to use during the enrollment process has meant that many users have shied away from taking this next-level security step. Google’s announcement means that the program has just opened up to a much larger user base. “Passkeys give high-risk users the option to rely on the ease and security that comes with using personal devices they already own,” Chatterjee said, “as opposed to another device or tool like a security key, for phishing-resistant authentication.”
When you initially sign into your Google account on any device you will be required to use your passkey. This prevents a hacker, even one in possession of your username and password credentials from a data breach or phishing attack, from being able to sign in and compromise your Google services including your Gmail account. Such attackers are unable to sign in unless they have your passkey, which means they would also need the device your passkey is enrolled on and the means to access it by way of your biometrics or PIN code. But APP goes beyond this protection and performs additional checks on downloads, for example. Try to download a potentially harmful file and you will be notified or the download blocked. If you are using an Android device, APP only allows downloads from verified app stores.
Advanced protection also restricts the data that apps, both Google and verified third-party ones, can access. Most non-Google apps and services are blocked from accessing data from your Google Drive or Gmail accounts, although you can choose to allow the following to access Google data:
A temporary code can be obtained that will allow some Apple apps to access your Gmail data. And finally, account recovery becomes even more robust than normal. “If anyone tries to recover your account,” Google said, “Advanced Protection takes extra steps to verify your identity.” This means that it can take a few days to verify that you are who you say and get access to your Google account back.
APP enrollment using a passkey couldn’t be easier. Just visit the APP start page and choose to enroll with a passkey when the option is offered. Although the passkey can used to replace both the password credentials and 2FA parts of login, Google does still require you to choose a recovery method should you need to regain access to your account. This can be any way of a telephone number, email, address separate passkey or hardware keys. A combination of these will be used in the process of regaining access to an account, which is necessarily tougher when part of the APP.
Passkeys are another way to authenticate yourself to a service, an easier and more secure method than passwords according to Google. They are “phishing resistant so users are provided protection against things like fraudulent emails,” Chatterjee said, and come with that ease of use built-in as they rely on your facial scan, fingerprint or a PIN using a device, your smartphone for example, that you already own. Importantly, as far as usability goes, passkeys are used without the need for a password by default, although they can be used as a second factor in combination with one if desired. Unlike passwords, there is nothing to remember or type into your computer or mobile devices. They are also said to be more secure as they are tied to your device, your smartphone most commonly, and are never stored on servers where they might be susceptible to hacking or phishing attacks.
“The traditional password systems have shown to fail time and time again, as huge volumes of credentials are stolen every day,” Eduardo Azanza, CEO at digital identity specialists Veridas, said. “As the digital threat landscape evolves, cybersecurity and online practices must evolve with it. Therefore, the move by Google to set passkeys as the default sign-in credential is a strong message that we are moving toward a passwordless future.”