[ad_1]
Google updates its Advanced Protection program
Updated 12/07 with additional details about the Advanced Protection Program.
Nearly 2 billion people use the free Gmail email service, with over 300 billion emails passing through the service every day. It’s no wonder that your Google Account, which opens the door to that Gmail data, is a prime target for criminals and state-sponsored hackers. Google’s Advanced Protection Program is available to high-risk users like politicians, activists, and journalists, and offers the most secure option for accessing your account. This comes at a price, as hardware security keys were required as a two-factor authentication method – until now. Google has finally announced that users who sign up for the APP can use access keys instead of hardware security keys, and use them as an all-in-one login method without the need for separate 2FA credentials.
Access Keys Can Now Replace Google Advanced Protection Program Hardware Keys and 2FA
Shuvo Chatterjee, product manager of Google’s Advanced Protection Program, confirmed that Access keys are now available as part of the APP registration process effective immediately. The APP is the highest level of protection for Google Accounts, providing additional safeguards against the most common attacks that are often launched against high-risk Gmail users: phishing and malware. In fact, you don’t need to be in a high-risk profession to be targeted in this way, and as such, the APP is a safe thinking option for most users.
Registration for the APP is simple and recommended
Eliminating the financial burden of purchasing not one, but two hardware security keys to use during the sign-up process has made many users hesitant to take that extra security step. Google’s announcement means the program has just been opened to a much broader user base. “Access keys give high-risk users the ability to leverage the convenience and security of using personal devices they already own,” Chatterjee said, “as opposed to another device or tool like a security key, for phishing-resistant authentication.”
How does Google’s Advanced Protection Program work?
When you first sign in to your Google Account on any device, you’ll need to use your Passkey. This prevents a hacker, even if they have your username and password from a data breach or phishing attack, from being able to log in and compromise your Google services, including your Gmail account. These hackers can’t log in without your Passkey, which means they’d also need the device your Passkey is stored on and the means to access it via your biometrics or PIN. But APP goes beyond this protection and performs additional checks on downloads, for example. Try to download a potentially dangerous file and you’ll be warned or the download will be blocked. If you’re using an Android device, APP only allows downloads from verified app stores.
Advanced Protection also limits the data that apps, whether Google or third-party, can access. Most non-Google apps and services can’t access data in your Google Drive or Gmail accounts, but you can choose to allow the following to access Google data:
- All Google apps and services
- Apple Mail, Calendar, and Contacts apps on iOS and macOS
- Mozilla Thunderbird desktop email clients that directly access Gmail
- Allow non-Google apps to access your Google data
- Apple Apps on iOS
It’s possible to get a temporary code that will allow some Apple apps to access your Gmail data. Finally, account recovery is getting even more robust than usual. “If someone tries to take over your account,” Google said, “advanced protection takes extra steps to verify your identity.” That means it could take a few days to verify that you are who you say you are and regain access to your Google Account.
Registering for the APP using a password couldn’t be easier. Just visit the Application start page and choose to register with password When the option is offered. While the passkey can be used to replace both the password credentials and the 2FA parts of the login, Google always requires you to choose a recovery method if you need to regain access to your account. This could be a phone number, email address, a separate passkey, or hardware keys. A combination of these will be used in the process of regaining access to an account, which is necessarily more difficult when it is part of the APP.
What is an Access Key and Why Should You Use One?
Passkeys are another way to authenticate to a service, one that Google says is simpler and more secure than passwords. They’re “phishing-resistant, helping protect users from things like email scams,” Chatterjee said, and they’re easy to use because they rely on your facial scan, fingerprint, or PIN using a device you already own, like your smartphone. It’s important to note that when it comes to ease of use, passkeys are passwordless by default, though they can be used as a second factor in combination with a password if you choose. Unlike passwords, there’s nothing to remember or type into your computer or mobile devices. They are also considered more secure because they are tied to your device, most often your smartphone, and are never stored on servers where they could be exposed to hacking or phishing attacks.
“Traditional password systems have proven themselves to be failing time and time again, as huge volumes of credentials are stolen every day,” said Eduardo Azanza, CEO of digital identity specialist Veridas. “As the digital threat landscape evolves, cybersecurity and online practices must evolve with it. Therefore, Google’s decision to make access keys the default login credential sends a strong message that we are moving toward a passwordless future.”