Google Account Advanced Protection now supports passkey login. A solution that’s as secure as physical keys, while being much more convenient!
Since 2017, Google has offered an advanced protection feature for the accounts of so-called “high-risk” users, such as business leaders, journalists, election campaign teams, politicians or activists, who fear being spied on by intelligence agencies or targeted by powerful viruses. This feature transforms their Google account into a real safe. Instead of using codes sent by SMS or generated by authentication applications (such as Google Authenticator), you have to use physical keys to access it. It is much more secure, because SMS messages can easily be intercepted and the smartphone can be hacked. With a physical key, none of this is possible. However, this means of protection is not the easiest to manage. But there is now an alternative that is just as secure.
As he announces in a blog postGoogle has updated its program, which can now support passkeys – also called access keys. These allow you to log in to your account using biometric authentication – fingerprints or facial recognition – or a PIN code, and are therefore resistant to online attacks such as phishing, thus offering increased security.
Google Passkey: securely log in to your Google account
Passkeys are much easier to manage than physical keys, which can be lost or forgotten, while providing an equivalent level of security. “Passkeys provide high-risk users with the ability to rely on the ease and security of using their personal devices they already own, rather than relying on another device or tool like a security key, for phishing-resistant authentication.”assures Google.
But while setting up access keys is child’s play, behind this apparent simplicity lies a complex technology that has been in the making for years. The principle is as follows: the user chooses a device – logically their smartphone – as the main authentication system on sites and applications. When activating the passkeys, the device generates two encrypted keys: the first, called “public”, is sent to the service providers – in this case Google – while the second, called “private”, is stored in the device. Each time a connection is attempted, the device will send the service an authentication message derived from the private key. If it is verified by the “public” key present on the server, the connection is authorized!
This new authentication system is being adopted by more and more online services. In May 2023, Google authorized the use of passkeys for individual accounts (see our article). To enable advanced protection and use a passkey, follow the instructions in this page from Google. Please note that you must have a compatible device, such as a laptop or desktop computer with Windows 10, macOS Ventura, or ChromeOS 109, or a mobile device running iOS 16 or Android 9 or later.