Getty Images
Google is making it easier for users to lock down their accounts with stronger multi-factor authentication by adding the ability to store secure cryptographic keys as access keys rather than on physical token devices.
Google’s Advanced Protection program, launched in 2017, requires the strongest form of multi-factor authentication (MFA). While many forms of MFA rely on one-time passcodes sent via SMS or email or generated by authenticator apps, accounts enrolled in Advanced Protection require multi-factor authentication based on cryptographic keys stored on a secure physical device. Unlike one-time passcodes, security keys stored on physical devices are immune to credential phishing and can’t be copied or spied on.
Democratize the APP
APP, short for Advanced Protection Program, requires that the key be accompanied by a password every time a user logs into an account on a new device. That protection prevents the kinds of account hijackings that allowed Kremlin-backed hackers to access Democratic officials’ Gmail accounts in 2016 and leak stolen emails to interfere with that year’s presidential election.
Until now, Google required users to have two physical security keys to sign up for APP. Now, the company is allowing users to use two access keys or one access key and one physical token. Those looking for extra security can sign up using as many keys as they want.
“We’re widening the gap so people have more choice in how they sign up for this program,” Shuvo Chatterjee, the APP project lead, told Ars. He said the move follows feedback Google received from some users who couldn’t afford to buy the physical keys or who lived or worked in areas where they weren’t available.
As always, users should always have two keys to register to avoid being locked out of their account if one is lost or broken. While lockouts are always a problem, they can be much worse for APP users, as the recovery process is much more rigorous and takes much longer than for accounts not registered with the program.
Passkeys are a creation of the FIDO Alliance, a cross-industry group of hundreds of companies. They are stored locally on a device and can also be stored in the same type of hardware token that stores MFA keys. Passkeys cannot be extracted from the device and require either a PIN, fingerprint, or face. They provide two factors of authentication: something the user knows (the underlying password used when the passkey was first generated) and something the user has (in the form of the device that stores the passkey).
Of course, relaxing the requirements only goes so far, since users still need to own two devices. But by expanding the types of devices required, APP becomes more accessible, since many people already own a phone and a computer, Chatterjee said.
“If you’re in a place where you can’t get security keys, this is more convenient,” he said. “This is a step toward democratizing access (to users) to this highest level of security that Google offers.”
Despite the increased scrutiny involved in the APP account recovery process, Google is reiterating its recommendation that users provide a phone number and email address as a backup.
“The best way to protect your account is to have multiple things on file. So if you lose that security key or it blows up, you have a way to get back into your account,” Chatterjee said. He wouldn’t provide the “secret” details of how the process works, but said it involves “tons of signals that we look at to understand what’s really going on.”
“Even if you have a recovery phone, that alone will not allow you to access your account,” he said. “So if you have undergone a SIM swap, it does not mean that someone will have access to your account. It is a combination of various factors. It is the sum of these factors that will help you on the road to recovery.”
Google users can sign up for the APP by visiting this link.
News Source : arstechnica.com
Gn tech
