Google Is Adding Passkey Support for Its Most Vulnerable Users

The password killers known as “passkeys” are now available to users of Google’s Advanced Protection Program, which works to add an additional layer of account protection for people who fear that they could face targeted digital attacks. The company is more than a year into supporting passkeys for all regular individual accounts and made them the default login option in October. But Google waited to offer passkeys to APP users until it was sure the community was ready to take the step.

APP users typically have a public-facing position or do controversial work. Anyone can enroll for free, but enabling Advanced Protection involves strict requirements for adding multi-factor authentication to an account, which previously involved hardware tokens. With the addition of passkeys, though, APP project manager Shuvo Chatterjee points out that APP’s defensive benefits will now be more usable and accessible to people around the world.

“Security keys are super-duper strong. They are an un-phishable factor,” Chatterjee told WIRED ahead of today’s announcement. “And yet it is still a thing that people have to carry around. They lose it, they cost a lot. So a request that we keep getting from the field is, are there other ways by which we can get the same level of security, but from something that’s more convenient and something we already have? Passkeys are something [that] works with the threat profile that our high-risk users deal with.”

With digital crime and online fraud exploding around the web, tech giants have stepped up their push in recent years to secure accounts and promote passkeys, a cryptographic authentication system, as a more-secure replacement for the scourge of passwords. Passkeys are stored locally on your devices (or can be stored on hardware tokens that support the protocol known as FIDO2) and are guarded by a fingerprint, face scan, or pin. Advanced Protection will also still offer users the option of enabling the service with traditional two-factor authentication where the hardware token is the second factor.