Google Targets Passkey Support to High-Risk Execs, Civil Society

  /     /     /  
Publicated : 23/11/2024   Category : security


Google Targets Passkey Support to High-Risk Execs, Civil Society


The tech giant has rolled out passkey support for account authentication within its Advanced Protection Program to complement existing compatibility with FIDO2 hardware keys.



In the latest push to move people to strong authentication mechanisms for online accounts, Google is adding passkey support to its Advanced Protection Program (APP).
APP is a cyber defense effort meant to protect the accounts of high-risk targets such as top executives, government employees, and members of civil society. The move means that people at high risk of cyberattacks can forgo easy-to-steal/easy-to-guess passwords in favor of a passkey, which is a virtual form of the FIDO2 hardware security key scheme.
Passkeys are straightforward to use: Users store a private key on a hardware endpoint using a secure hardware enclave or password manager, which is then used to authenticate to cloud services and websites by solving a cryptographic challenge. That solve takes place in the background, and for the user, its just a matter of using a thumbprint, face scan, or PIN to sign in.
Passkeys can also thwart phishing and adversary-in-the-middle (AitM) attacks because they verify that websites the user is trying to access are legitimate.
In the case of
Google APP
, it includes support for any passkeys that support FIDO standards, including those stored on devices the users already own, or external security keys that contain passkeys (like many of todays FIDO2 security keys). Users can use passkeys to secure any Google account, including Google Cloud Platform, Gmail, and Google Workspace.
Individuals have been targeted by sophisticated adversaries forever, and this continues to grow, Shuvo Chatterjee, product lead for Googles APP, tells Dark Reading. Google introduced the APP as a protective product for high-risk individuals long before anyone else did, because of our continued work to protect those who face these elevated threats.
While the program has supported hardware FIDO2 keys from the beginning, this announcement of supporting passkeys as an option for enrollment is important for the many high-risk individuals weve heard from who simply cannot access hardware security keys, Chatterjee explains. He cites examples of a journalist covering a war zone who physically cant take the time to attach a bulky key, or a lower-level campaign staffer hopping across the country who might be operating on a grassroots budget and cant afford to go the hardware route.
Weve seen the global struggles of people wanting an extra layer of protection but unable to enroll for various reasons, he says. For journalists, activists, politicians, business leaders, and others at higher risk of being targeted, this potentially removes one more obstacle in their way.
In tandem with the passkey announcement, Google launched a partnership with Internews to provide journalists and human rights workers with security support around the world through Internews global network of security trainers. The program will span 10 countries, including Brazil, Mexico, and Poland.
Despite moves by major service providers including
Amazon
,
Apple
,
Googles consumer business
, and
Microsoft
to roll out the technology,
passkey awareness and use
remain low. Thats something that Googles Chatterjee expects to change.
One advantage is that passkeys are something the industry as a whole is pushing together, he says. Whether its Google, Apple, or Microsoft, or individual websites who support passkeys, this will become more common for people. It takes time to make that transition.
He said that in less than a year since passkeys have been available to Google users, theyve been used to authenticate people more than 1 billion times across over 400 million Google accounts.
It should be noted that the technology is not infallible and can be
vulnerable to passkey redaction attacks
, as eSentire detailed last week. In this case, that type of gambit is rendered moot for anyone using their Google passkeys in a normal authentication setting, Chatterjee stresses.
The main chokepoint for that attack vector was stripping the passkey option from websites, forcing users to use a downgraded authentication method, he explains. If youre in APP, you’re not able to sign in with a downgraded authentication method, so a security key or passkey will be required for sign-ins on a new device.
In general, its also a good idea to harden account recovery methods. APPs particular implementation of passkeys, for instance, allows Google account users to add recovery options during enrollment in case the device the passkey is stored in is lost. The options include using a phone number, email, or another passkey or security key to recover the account; the latter two are certainly the more secure options.

Last News

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security

▸ Fully committed to the future world of technology. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Google Targets Passkey Support to High-Risk Execs, Civil Society