Google has taken a significant step in enhancing online security by introducing passkey support to its Advanced Protection Program (APP). This move aims to promote strong authentication methods for high-risk individuals such as top executives, government employees, and members of civil society.
Passkeys offer a more secure alternative to traditional passwords, as users store a private key on a hardware endpoint, which is used to authenticate to cloud services and websites through a cryptographic challenge. This method of authentication not only simplifies the process for users, but also helps prevent phishing and adversary-in-the-middle attacks by verifying the legitimacy of websites.
With the addition of passkey support, Google’s APP now allows users to utilize passkeys that adhere to FIDO standards, including those stored on existing devices or external security keys. This expansion enables users to secure their Google accounts, including services like Google Cloud Platform, Gmail, and Google Workspace.
Shuvo Chatterjee, product lead for Google’s APP, emphasized the importance of providing high-risk individuals with alternative authentication options. While the program has supported hardware FIDO2 keys from the start, the introduction of passkey support offers flexibility for users who may face obstacles in using hardware security keys. Chatterjee pointed out scenarios where individuals like journalists or campaign staffers may find it challenging to access hardware keys due to their circumstances, and passkeys provide a viable solution for them.
In conjunction with the passkey announcement, Google has partnered with Internews to offer security support to journalists and human rights workers globally. This initiative, spanning across 10 countries, including Brazil, Mexico, and Poland, aims to bolster online security for vulnerable individuals.
Despite the efforts of major service providers like Amazon, Apple, and Microsoft in promoting passkey technology, awareness and adoption remain relatively low. Google’s Chatterjee is optimistic about the industry’s collective push towards passkey adoption, noting that over 400 million Google accounts have already used passkeys for authentication more than 1 billion times in less than a year.
While passkeys offer enhanced security, it’s crucial to acknowledge potential vulnerabilities. Recent reports have highlighted passkey redaction attacks as a threat, but Chatterjee assured that Google’s implementation is designed to mitigate such risks. By enforcing the requirement of a security key or passkey for sign-ins on a new device within the APP, users are protected against potential redaction attacks.
Furthermore, Google’s APP allows users to strengthen their account recovery methods by adding options like phone numbers, emails, or additional passkeys or security keys. These additional recovery options provide an extra layer of security in case the device storing the passkey is lost, offering peace of mind to users.
In conclusion, Google’s introduction of passkey support in its Advanced Protection Program underscores the company’s commitment to enhancing online security for high-risk individuals. By providing alternative authentication methods and partnerships to support vulnerable groups, Google is taking proactive steps to safeguard user accounts and data in an increasingly digital world.