1 Phone Number WON’T Save Your Hacked Google Account (Here’s What Will)

CONTENTS:

Google MFA gets key upgrade

1 Phone Number WON’T Save Your Hacked Google Account

Google is enhancing its Advanced Protection Program to simplify strong multifactor authentication by allowing secure cryptographic keys, known as passkeys, to be stored instead of physical token devices. Introduced in 2017, this program mandates the highest level of MFA. While traditional MFA methods use one-time passcodes via SMS, email, or authenticator apps, Advanced Protection requires cryptographic keys stored on secure physical devices. Unlike passcodes, these keys are immune to phishing attacks and cannot be duplicated or intercepted.

1 Phone Number WON’T Save Your Hacked Google Account: Google’s Advanced Protection Program (APP) requires users to use a key alongside a password whenever logging into an account on a new device. This requirement aims to prevent account takeovers like those in 2016, when Kremlin-backed hackers accessed Gmail accounts of Democratic officials, leading to leaked emails that interfered with the presidential election.

Previously, Google mandated two physical security keys for enrollment in APP. Now, users can opt for two passkeys or a combination of one passkey and one physical token. They can also use additional keys for heightened security. This change aims to offer more flexibility, addressing feedback from users who couldn’t afford physical keys or lived where they weren’t accessible.

However, users still need two keys to enroll to prevent account lockouts, which are more challenging to resolve for APP users due to rigorous recovery processes compared to non-APP accounts.

1 Phone Number WON’T Save Your Hacked Google Account: Passkeys, developed by the FIDO Alliance, are stored locally on a device and can also reside in hardware tokens that store MFA keys. They cannot be extracted from the device and require either a PIN, fingerprint scan, or facial recognition for access. Passkeys offer two-factor authentication: something the user knows (the initial password used during passkey generation) and something the user possesses (the device storing the passkey).

Google’s Advanced Protection Program (APP) now allows users to use passkeys alongside passwords for authentication, instead of strictly requiring physical security keys. This change aims to enhance accessibility, as many users already have phones and computers, which can now serve as devices for storing passkeys. While users still need two devices for enrollment to prevent lockouts, this flexibility makes the highest security tier offered by Google more attainable, particularly in regions where physical security keys are scarce or costly.

Google continues to recommend that users of its Advanced Protection Program (APP) provide a phone number and email address as backup measures, despite the rigorous recovery process involved. According to Shuvo Chatterjee, project lead for APP, having multiple recovery options is crucial for account resilience. These backups are essential in case users lose their security key or encounter other issues.

Chatterjee emphasized that even with a recovery phone number, it alone cannot grant access to an account if compromised through methods like SIM swapping. The recovery process involves analyzing numerous signals to verify the user’s identity and situation, ensuring comprehensive security measures are in place before granting access.

While specific details about the recovery process remain confidential, Chatterjee highlighted the importance of multiple recovery options and the combination of various factors to facilitate account recovery for APP users effectively.