Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
67,961
38,673


Google today announced that has added a new passkey set-up option to its Advanced Protection Program, allowing Pixel and iPhone owners to use their device's biometric authentication instead of physical security keys.

google-advanced-protection-program.jpg

For those unfamiliar with the Advanced Protection Program, it's designed for high-profile Google product users who need maximum protection from hacking attempts. It's a feature aimed at journalists, activists, business leaders, and others who feel vulnerable to targeted security breaches.

When it launched in 2017, Google required users to have two physical security keys to activate it, and one of those keys plus a password to log in. Last year, the company changed the feature so that users could sign in with just a passkey, but the physical security keys were still required to set it up.

From today, that's no longer the case. When users get started with Google's Advanced Protection Program, they will have the option to set up with either a passkey or a physical security key.

Passkeys are easier to use and more secure than passwords because they let users sign in to apps and sites the same way they unlock their devices: With Face ID, Touch ID, or a device passcode. Passkeys are also resistant to online attacks like phishing, making them more secure than things like SMS one-time codes.

Article Link: Google Advanced Protection Program Adds Single Passkey Set-Up Option
 
The problem with all these security measures is either they allow an alternate way in case your primary method fails or you risk losing your account. Often the alternate method is something weak like SMS two factor.
 
The problem with all these security measures is either they allow an alternate way in case your primary method fails or you risk losing your account. Often the alternate method is something weak like SMS two factor.
Google’s Advanced Protection Program requires a security key or passkey when signing in. Weaker methods are not accepted.

Apple don’t accept alternate methods when signing in if security keys have been set up.
 
It seems like a lot of platforms are now just dropping passwords entirely. Instead they jump to just sending a code or link to your email, which is what resetting your password would do anyways.

I guess this way the platforms have no liability issues when it comes to password breaches, since they don’t store any.

Seems lazy, but I guess it’s effective… as long as your email authentication is strong.
 
"Passkeys are so secure!" ---> proceeds to sync said passkeys (via iCloud keychain or otherwise) to every device in one's life, out of convenience, hence making them as weak as the security on said devices (see: shoulder surfing, password guessing, cloud account takeover, etc)

Now if they compromise your iCloud account they also have your Google passkey.
 
Last edited:
It seems like a lot of platforms are now just dropping passwords entirely. Instead they jump to just sending a code or link to your email, which is what resetting your password would do anyways.

I guess this way the platforms have no liability issues when it comes to password breaches, since they don’t store any.

Seems lazy, but I guess it’s effective… as long as your email authentication is strong.
A code or a link in an unencrypted email? Omg...
 
I kind of like the concept of these (various) security keys like Yubikey and soforth. One reason for not already having this stuff is the slow adaptation of USB C by Apple.

I wouldn`t get stuff like that from Google though. I want these keys to be fully cross platform and indepentent of MS/Apple/Google/Facebook/WhatNot. Stuff like this too closely related to one of the platforms tend to enforce doubling up for other platforms or additional replacement costs if diversifying a bit. I want the freedom to do that without having to purchase a new house, car, remarry and adopt a bunch of kids. Or leave my dog behind.

The same goes for software really, e.g. DaVinci Resolve, Blender and Maya all run in various platform to mention a few on the heavy side of things. Or 1Password ++. Keys and password organisers should work across platforms, and USB C helps.

Might be nothing you are cosidering right now, or perhaps ever, but sometimes we can delete love from a love-hate relationship, and I kind of want the moving on bit to be as trouble free as possible. A bit like having f**kyou money to cover your back.
 
Last edited:
This has nothing to do with the phone you use. This is for high profile individuals who are targets to offer more strict protections to keep their account secure.
A tad wider audience I should think. A lot of people works with seemingly lame stuff quite interesting to the competition.

...or simply to keep the wife off your personal digital stuff. Cash in the bank and a divorce in the horizon, Yubikey keeps you afloat.
 
Google’s Advanced Protection Program requires a security key or passkey when signing in. Weaker methods are not accepted.

Apple don’t accept alternate methods when signing in if security keys have been set up.
That’s good. It always seems weird when secure methods are allowed to be bypassed by unsecure ones.

I tried security keys on my Apple account in normal non lockdown mode and I couldn’t see the point. Maybe lockdown mode is needed for them to be more useful.
 
A code or a link in an unencrypted email? Omg...
One of my accounts does something similar. I can choose to enter my username and password then it will send me a code in my email to verify or I can choose not to enter my password and have a code sent 😂
 
I wish more companies offered Passkey security.
Useless complication since login/password is still available on all passkey sites. I find it ironic that Apple pushes passkey but doesn’t support it for their major sites.
 
it's designed for high-profile Google product users who need maximum protection from hacking attempts. It's a feature aimed at journalists, activists, business leaders,
I'm just some random nobody, but I think I'll try this. 😎
 
A code or a link in an unencrypted email? Omg...
There isn't really a difference compared to how most platforms operate anyways. If you forget your password, it just sends a code or link in an email. So, they are just skipping the essentially redundant password and sending you a link immediately.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.