Google Targets Passkey Support to High-Risk Execs, Civil Society

In the latest push to move people to strong authentication mechanisms for online accounts, Google is adding passkey support to its Advanced Protection Program (APP).

APP is a cyber defense effort meant to protect the accounts of high-risk targets such as top executives, government employees, and members of civil society. The move means that people at high risk of cyberattacks can forgo easy-to-steal/easy-to-guess passwords in favor of a passkey, which is a virtual form of the FIDO2 hardware security key scheme.

Passkeys are straightforward to use: Users store a private key on a hardware endpoint using a secure hardware enclave or password manager, which is then used to authenticate to cloud services and websites by solving a cryptographic challenge. That solve takes place in the background, and for the user, it's just a matter of using a thumbprint, face scan, or PIN to sign in.

Passkeys can also thwart phishing and adversary-in-the-middle (AitM) attacks because they verify that websites the user is trying to access are legitimate.

In the case of Google APP, it includes support for any passkeys that support FIDO standards, including those stored on devices the users already own, or external security keys that contain passkeys (like many of today's FIDO2 security keys). Users can use passkeys to secure any Google account, including Google Cloud Platform, Gmail, and Google Workspace.

"Individuals have been targeted by sophisticated adversaries forever, and this continues to grow," Shuvo Chatterjee, product lead for Google's APP, tells Dark Reading. "Google introduced the APP as a protective product for high-risk individuals long before anyone else did, because of our continued work to protect those who face these elevated threats."

While the program has supported hardware FIDO2 keys from the beginning, "this announcement of supporting passkeys as an option for enrollment is important for the many high-risk individuals we've heard from who simply cannot access hardware security keys," Chatterjee explains. He cites examples of a journalist covering a war zone who physically can't take the time to attach a bulky key, or a lower-level campaign staffer hopping across the country who might be operating on a grassroots budget and can't afford to go the hardware route.

"We've seen the global struggles of people wanting an extra layer of protection but unable to enroll for various reasons," he says. "For journalists, activists, politicians, business leaders, and others at higher risk of being targeted, this potentially removes one more obstacle in their way."

In tandem with the passkey announcement, Google launched a partnership with Internews to provide journalists and human rights workers with security support around the world through Internews' global network of security trainers. The program will span 10 countries, including Brazil, Mexico, and Poland.

Passkeys Inch Into Public's Consciousness

Despite moves by major service providers including Amazon, Apple, Google's consumer business, and Microsoft to roll out the technology, passkey awareness and use remain low. That's something that Google's Chatterjee expects to change.

"One advantage is that passkeys are something the industry as a whole is pushing together," he says. "Whether it's Google, Apple, or Microsoft, or individual websites who support passkeys, this will become more common for people. It takes time to make that transition."

He said that in less than a year since passkeys have been available to Google users, they've been used to authenticate people more than 1 billion times across over 400 million Google accounts.

It should be noted that the technology is not infallible and can be vulnerable to passkey redaction attacks, as eSentire detailed last week. In this case, that type of gambit is rendered moot for anyone using their Google passkeys in a normal authentication setting, Chatterjee stresses.

"The main chokepoint for that attack vector was stripping the passkey option from websites, forcing users to use a downgraded authentication method," he explains. "If you're in APP, you’re not able to sign in with a downgraded authentication method, so a security key or passkey will be required for sign-ins on a new device."

In general, it's also a good idea to harden account recovery methods. APP's particular implementation of passkeys, for instance, allows Google account users to add recovery options during enrollment in case the device the passkey is stored in is lost. The options include using a phone number, email, or another passkey or security key to recover the account; the latter two are certainly the more secure options.