July 10, 2024 at 06:05AM
Google is extending the Advanced Protection Program (APP) by adding support for passkeys in an effort to enhance online account security for high-risk individuals. Passkeys, a virtual form of the FIDO2 hardware security key scheme, provide a more secure method of authentication and can help thwart phishing and adversary-in-the-middle attacks. In partnership with Internews, Google is also providing security support to journalists and human rights workers globally. Despite low awareness, passkeys have been used over a billion times across 400 million Google accounts in less than a year.
Based on the meeting notes, the key takeaways are:
1. Google is adding passkey support to its Advanced Protection Program (APP), which is aimed at protecting the accounts of high-risk targets such as top executives, government employees, and members of civil society.
2. Passkeys, which are a virtual form of the FIDO2 hardware security key scheme, allow high-risk individuals to authenticate to cloud services and websites with a secure and easy-to-use method such as a thumbprint, face scan, or PIN.
3. The support for passkeys in Google APP is significant as it allows high-risk individuals who can’t access hardware security keys to enroll in the program, removing obstacles for journalists, activists, politicians, business leaders, and others.
4. Google has also partnered with Internews to provide journalists and human rights workers with security support around the world through training programs in 10 countries.
5. Despite low awareness and use of passkeys, Google expects that passkey usage will become more common as major service providers and individual websites continue to support it.
6. Passkeys have been used to authenticate people more than 1 billion times across over 400 million Google accounts in less than a year since they have been available.
7. It’s important to note that passkeys are not infallible and may be vulnerable to passkey redaction attacks, but Google’s implementation in APP ensures that a security key or passkey will be required for sign-ins on a new device, making the attack moot.
8. It is recommended to harden account recovery methods, and Google APP’s particular implementation of passkeys allows users to add recovery options during enrollment for added security.
Please let me know if you need further information or have any specific questions related to the meeting notes.