Google is making it easier for people to lock down their accounts with strong multi-factor authentication by adding the option to store secure cryptographic keys in the form of passcodes instead of on physical token devices.
Google’s Advanced Protection Program, introduced in 2017, requires the strongest form of multi-factor authentication (MFA). While many forms of MFA rely on one-time passcodes sent via SMS or email or generated by authenticator apps, accounts enrolled in Advanced Protection require MFA based on cryptographic keys stored on a secured physical device. Unlike one-time passcodes, security keys stored on physical devices are immune to credential phishing and can’t be copied or sniffed.
Democratization of APP
APP, short for Advanced Protection Program, requires the key to be accompanied by a password whenever a user logs in to an account on a new device. The protection prevents the kind of account takeovers that enabled Kremlin-backed hackers to gain access to the Gmail accounts of Democratic officials in 2016 and then leak stolen emails to disrupt that year’s presidential election.
Until now, Google required people to have two physical security keys to enroll in APP. Now, the company is allowing people to use either two access keys or one access key and one physical token instead. People looking for more security can enroll with as many keys as they want.
“We're expanding the opening so that people have more choice in how they opt into this program,” Shuvo Chatterjee, the project lead for APP, told Ars. He said the move comes in response to comments Google received from some users who couldn't afford to purchase the physical keys or who lived or worked in regions where they weren't available.
As always, users are still required to have two keys to register to prevent accounts from being blocked if one of the keys is lost or broken. While blockages are always a problem, they can be much worse for APP users, as the recovery process is much stricter and takes much longer than for accounts not registered in the program.
Passkeys are the creation of the FIDO Alliance, a cross-industry group made up of hundreds of companies. They are stored locally on a device and can also be stored in the same type of hardware token that stores MFA keys. Passkeys are permanently locked to the device and require either a PIN or a scan of a fingerprint or face. They provide two factors of authentication: something the user knows—the underlying password used when the passkey was first generated—and something the user has—in the form of the device the passkey is stored on.
Of course, the relaxed requirements only go so far, as users still need to have two devices. But by expanding the types of devices needed, APP becomes more accessible, as many people already have a phone and a computer, Chatterjee said.
“If you’re in a place where you can’t get security keys, it’s more convenient,” he explained. “This is a step toward democratizing the extent to which people have access to [users] “achieve the highest layer of security that Google offers.”
Despite the stricter controls on the APP account recovery process, Google reiterates its recommendation that users provide a backup phone number and email address.
“The most resilient thing is to have multiple things in a file so that if you lose that security key or the key blows up, you have a way to get back into your account,” Chatterjee said. He didn't provide “secret sauce” details about how the process works, but he said it involves “a lot of signals that we're looking at to figure out what's really happening.
“Even if you have a recovery phone, a recovery phone by itself is not going to give you access to your account,” he said. “So if your SIM card gets swapped, that doesn't mean someone is going to get access to your account. It's a combination of different factors. It's the sum of those that will help you on your path to recovery.”
Google users can register for APP by visiting this link.