The password killers known as “passkeys” are now available to users of Google’s Advanced Protection Program, which works to add an additional layer of account protection for people who fear that they could face targeted digital attacks. The company is more than a year into supporting passkeys for all regular individual accounts and made them the default login option in October. But Google waited to offer passkeys to APP users until it was sure the community was ready to take the step.
APP users typically have a public-facing position or do controversial work. Anyone can enroll for free, but enabling Advanced Protection involves strict requirements for adding multi-factor authentication to an account, which previously involved hardware tokens. With the addition of passkeys, though, APP project manager Shuvo Chatterjee points out that APP’s defensive benefits will now be more usable and accessible to people around the world.
“Security keys are super-duper strong. They are an un-phishable factor,” Chatterjee told WIRED ahead of today’s announcement. “And yet it is still a thing that people have to carry around. They lose it, they cost a lot. So a request that we keep getting from the field is, are there other ways by which we can get the same level of security, but from something that’s more convenient and something we already have? Passkeys are something [that] works with the threat profile that our high-risk users deal with.”
With digital crime and online fraud exploding around the web, tech giants have stepped up their push in recent years to secure accounts and promote passkeys, a cryptographic authentication system, as a more-secure replacement for the scourge of passwords. Passkeys are stored locally on your devices (or can be stored on hardware tokens that support the protocol known as FIDO2) and are guarded by a fingerprint, face scan, or pin. Advanced Protection will also still offer users the option of enabling the service with traditional two-factor authentication where the hardware token is the second factor.
If you wish to join, use the Advanced Protection Program enrollment page, click “Get started,” and walk through the process to enroll with a passkey or a physical security key. While APP is meant to keep everyone out of your account, Chatterjee also emphasizes that the program offers recovery options that users should set up so they can regain access if they are ever locked out of their own account.
The passkey rollout hasn’t always been straightforward, but they are gradually proliferating around the world. Google said in April that passkeys were used for authentication more than a billion times across more than 400 million Google accounts in their first year of deployment. And the company says that each day, users authenticate with passkeys more often than SMS one-time codes or one-time codes generated on apps like Google Authenticator.
For Advanced Protection Program users who want the highest level of protection, though, the option to start using passkeys will mean less overhead and more possibilities.
“We’ve encountered many people who just don’t have access to security keys,” Chatterjee says. “They can’t get them in their country, they’re a journalist traveling in a war zone, they’re a campaign worker hopping from town to town. They don’t have security keys with them, but they have their phone with them. There are many situations where having the flexibility and security of passkeys is really important to this population.”