Google strengthens Advanced Protection Program with passkey integration
To enroll in APP with a passkey, users need a compatible device and browser
Google has announced a significant upgrade to its Advanced Protection Program (APP), offering high-risk users the option to enroll with passkeys instead of physical security keys.
APP offers the highest level of Google account security, specifically designed for individuals like journalists, public figures and activists who face a heightened risk of cyberattacks.
Previously, APP enrollment required two physical security keys, which can be inconvenient for some users.
The introduction of passkeys streamlines the APP enrollment process.
Passkeys leverage the security features of a user's existing device, such as a smartphone or laptop, eliminating the need for additional hardware.
Built on Web Authentication (WebAuthn) technology, creating a passkey generates two unique keys. The public key is stored by the service you're signing in to, while the other private key resides on the users' device for verification.
Passkeys work seamlessly with fingerprint scanners, facial recognition, PINs, or even screen lock patterns, providing a more user-friendly and robust authentication method.
Both Apple's and Google's built-in password managers already support passkeys, as do popular password managers like 1Password, KeePassXC and Dashlane.
"Traditionally, users were required to have two physical security keys to enroll in APP, using their password and one of the security keys to log in. However, we understand that users might not always have access to physical security keys or the ability to buy one," said Shuvo Chatterjee, product lead of Google's Advanced Protection Program.
"Passkeys give high risk users the option to rely on the ease and security that comes with using personal devices they already own, as opposed to another device or tool like a security key, for phishing resistant authentication."
To enroll in APP with a passkey, users simply need a compatible device and browser. Most desktop browsers and some mobile browsers now support passkeys.
Enrolling in APP with a passkey is a straightforward process. Users simply visit the APP enrollment page and follow the on-screen instructions. They can choose between passkey or physical key enrollment based on their preference.
Additionally, Google mandates a recovery option during enrollment, such as a phone number and email or another passkey/security key, to ensure account access in case of lockouts.
This move builds upon Google's ongoing commitment to passwordless sign-in.
In October 2023, Google introduced support for passwordless sign-in on all Google accounts, and in October 2022, the company integrated passkey functionality into its Chrome web browser and the Android operating system.
Google partners with Internews
In a separate initiative, Google partnered with Internews, a non-profit organisation supporting independent media outlets globally.
This collaboration aims to provide digital security training to journalists and human rights workers in 10 countries across Europe, Asia and Latin America.
The training will focus on equipping participants with the knowledge and tools to defend against phishing attacks and other online threats.
"The partnership complements our ongoing work to make online safety tools and resources like APP, Project Shield and more easily available for high risk users," Google said.
"To date, our partner network has distributed more than 200,000 free security keys worldwide and provided security training in 20 countries from Asia and Europe to North America. We've also expanded our security training with Defending Digital Campaigns, IFES, Possible and Asia Centre."