Google's Advanced Protection Program (APP) now offers passkeys as an alternative to physical security keys for high-risk users like journalists, activists, and political campaign staff. Passkeys are a more secure and phishing-resistant alternative to passwords based on the FIDO Authentication standard. To enroll in APP with a passkey, users need a compatible device and browser and follow the on-screen instructions.
Google has partnered with Internews to provide security support for journalists and human rights workers through a global network of security partners and trainers across 10 countries. The company also plans to expand dark web reports to all users with a Google Account later this month.
Passkeys can act as both a first- and second-factor, eliminating the need for passwords entirely. They are designed to secure online accounts against potential takeover attacks by ditching passwords in favor of biometrics or a PIN. Passkeys work across multiple devices, so if a user's device is lost or broken, they may have a backup available.
High-risk users can check if they have a compatible device and browser and complete the enrollment process. Google requires users to add recovery options during enrollment (e.g., phone number and email or another passkey) in case they get locked out of their account.
Google's Advanced Protection Program is aimed at people with public-facing positions or who engage in controversial work, and anyone can enroll for free. The program offers recovery options to help users regain access if they are ever locked out of their own account.
Passkeys have been used for authentication more than a billion times across over 400 million Google accounts since their deployment. They offer the same level of security as physical security keys but with added convenience. Google said that each day, users authenticate with passkeys more often than SMS one-time codes or one-time codes generated on apps like Google Authenticator.
Google's Advanced Protection Program uses strict multi-factor authentication requirements involving hardware tokens to protect accounts from targeted digital attacks. The program offers recovery options and works to keep everyone out of your account.