Nearly 2 billion people utilize Gmail’s free email service, through which over 300 billion emails are processed daily. Consequently, Google accounts, which provide access to Gmail data, have become prime targets for both criminal and state-sponsored hackers. To protect high-risk users, such as politicians, activists, and journalists, Google offers the Advanced Protection Program (APP), which provides the highest level of security for accessing Google accounts. Historically, this has required the use of hardware security keys for two-factor authentication (2FA)—until now. Google has announced that users enrolled in the Advanced Protection Program (APP) can now use passkeys instead of hardware security keys, streamlining the login process and eliminating the need for separate two-factor authentication (2FA) credentials.
Shuvo Chatterjee, the product lead for Google’s Advanced Protection Program, confirmed that passkeys are now available immediately as part of the APP enrollment process. The APP provides the strongest protection for Google accounts, safeguarding against common attacks like phishing and malware, which frequently target high-risk Gmail users. However, any user can benefit from these enhanced security measures, not just those in high-risk professions.
Previously, the financial cost of purchasing hardware security keys discouraged many from enrolling in the APP. Google’s announcement that passkeys can be used instead makes the program accessible to a much wider audience. “Passkeys provide high-risk users the convenience and security of using their personal devices,” said Chatterjee, “eliminating the need for an additional device or tool like a security key for phishing-resistant authentication.”
How Does Google’s Advanced Protection Program Work?
Upon initial sign-in to your Google account on any device, you must use your passkey. This security measure prevents hackers, even those with your username and password from a data breach or phishing attack, from accessing your Google services, including Gmail. Attackers would need your passkey and the device it is enrolled on, along with access to your biometrics or PIN code. Additionally, APP provides extra protection by performing checks on downloads, notifying you, or blocking potentially harmful files. For Android users, APP restricts downloads to verified app stores only.
Advanced protection also limits data access for apps, allowing only Google and verified third-party apps to access information from Google Drive or Gmail. You can specifically permit access to:
- All Google apps and services
- Apple Mail, Calendar, and Contacts on iOS and macOS
- “Mozilla Thunderbird desktop email clients with direct access to Gmail”
A temporary code can be generated to allow certain Apple apps to access your Gmail data. Moreover, account recovery under APP is more robust. “If anyone tries to recover your account,” Google states, “Advanced Protection takes extra steps to verify your identity,” which can take a few days to complete.
Enrolling in the APP using a passkey is straightforward. Visit the APP start page and choose to enroll with a passkey when prompted. While the passkey can replace both password credentials and the 2FA component of login, Google still requires you to select a recovery method in case you need to regain access to your account. This could be a telephone number, email address, a separate passkey, or hardware keys. A combination of these will be used to regain access to your account, ensuring a more stringent recovery process when enrolled in the APP.