Skip to main content
The Verge logo.The Verge homepage
The Verge logo.

You can now protect your high-risk Google account with just your phone

You can now protect your high-risk Google account with just your phone

/

Google’s Advanced Protection Program required two physical security keys before — now all you need is a passkey.

By Wes Davis, a weekend editor who covers the latest in tech and entertainment. He has written news, reviews, and more as a tech journalist since 2020.

Share this story

Image of the Google “G” logo on a blue, black, and purple background.
Illustration: The Verge

Google has made it a little easier for those at more risk of targeted online attacks to enroll in its Advanced Protection Program for Google accounts. Now users can set it up with a single passkey — using the built-in biometric authentication of a Pixel phone or iPhone — instead of the two physical security keys the company previously required.

The Advanced Protection Program is aimed not at normal users but people like those working on political campaigns or journalists with sensitive information to protect. When it launched, the company required two physical security keys to activate it, and one of those keys plus a password to log in after that.

Related

Google changed the feature in 2023 to allow users to sign in with just a passkey — a passwordless login method that enables users to securely sign in to their accounts, apps, and services using built-in authentication on their devices. But you’d still need the two physical security keys to actually set it up.

To turn on the program, you can go to Google’s Advanced Protection Program page and click “Get started,” then the page will guide you through setup. At the end, you’ll have an option to set up with a passkey or a physical security key. The company also requires recovery methods like your phone number and an email address or a second passkey in case you get locked out of your account.

It’s very easy to do — in fact, I just did it myself. All I had to do was point my iPhone at a QR code in my browser and authenticate with Face ID.

What are passkeys?

Passkeys can replace traditional passwords with your device’s own authentication methods. That way, you can sign in to Gmail, PayPal, or iCloud just by activating Face ID on your iPhone, your Android phone’s fingerprint sensor, or with Windows Hello on a PC. 

Built on WebAuthn (or Web Authentication) tech, two different keys are generated when you create a passkey: one stored by the website or service where your account is and a private key stored on the device you use to verify your identity.

Of course, if passkeys are stored on your device, what happens if it gets broken or lost? Since passkeys work across multiple devices, you may have a backup available. Many services that support passkeys will also reauthenticate to your phone number or email address or to a hardware security key, if you have one.

Apple’s and Google’s password vaults already support passkeys, and so do password managers like 1Password and Dashlane. 1Password has also created an online directory listing services that allow users to sign in using a passkey.

More from Google