Google is enhancing its account security measures by introducing a new option for multifactor authentication (MFA) within its Advanced Protection Program (APP). This update allows users to store secure cryptographic keys as passkeys, offering an alternative to physical token devices.

The APP, launched in 2017, has been known for its stringent MFA requirements. Unlike traditional MFA methods that use one-time passcodes sent via SMS, email, or generated by apps, APP has required cryptographic keys stored on secure physical devices. These security keys are resistant to credential phishing and cannot be duplicated or intercepted.

Previously, APP enrollment necessitated two physical security keys. Now, Google is expanding options to include two passkeys or a combination of one passkey and one physical token. This flexibility aims to make APP more accessible to a broader user base, addressing concerns about the cost and availability of physical keys in certain regions.

Shuvo Chatterjee, the APP project lead, explained that this change responds to user feedback, particularly from those facing financial or geographical barriers to obtaining physical keys. The new approach maintains the two-key requirement to prevent account lockouts, which can be especially problematic for APP users due to the program's rigorous recovery process.

Passkeys, developed by the FIDO Alliance, offer a secure alternative to traditional passwords. They are stored locally on devices and can also be kept in hardware tokens. Passkeys combine two authentication factors: something the user knows (the underlying password used during passkey generation) and something the user has (the device storing the passkey).

While the relaxed requirements still necessitate two devices, the increased flexibility makes APP more accessible to those who already own a phone and computer. Chatterjee views this as a step towards democratizing access to Google's highest tier of security.

Despite the changes, Google continues to recommend that users provide a backup phone number and email address for account recovery. Chatterjee emphasizes that the recovery process involves multiple factors and signals, ensuring that a compromised recovery phone alone wouldn't grant unauthorized access to an account.

This update represents a significant move towards balancing high-level security with user convenience, potentially increasing the adoption of Google's most robust account protection measures.