Advanced Protection Program FAQ

Yes. You can use the Advanced Protection Program with accounts that federate from an IdP using SAML. When users with these accounts enroll in the Advanced Protection Program, we’ll require security key use after the user signs in on the IdP. Note that SAML users can select Remember the device to avoid challenges on a browser or device.

You can enroll in Advanced Protection with one passkey or a physical security key. To enroll, users have to add either recovery information or a backup passkey or a physical security key. If one key is lost or damaged, users can use the second key to regain account access.

The behavior is the same as for users who are not enrolled in the Advanced Protection Program. Users are remembered on the device or browser they use to sign in to Google Workspace, and 2-Step Verification (2SV) challenges do not occur during future sign-ins on that same browser or device.

You can add a security key to your account on an iPhone or iPad running iOS 13.3 or later and Safari. For details, go to Add a key to your account.

To create a passkey for iOS or macOS, you must turn on iCloud Keychain. For details, go to What do I need to create a passkey?

More browsers, applications, and services support web-based authentication and have native support for security keys. However, there are a number of use cases where you can’t use security keys. These are platforms like Internet Explorer, or native mobile apps that use embedded WebViews. Also, if you're using Chrome Remote Desktop on a remote workstation, you might not be able to plug a security key into that remote USB port.

For these cases, there are 2 options:

Passkeys–Since the addition of passkeys, the Only security key limitation now supports both security keys and passkeys as a 2SV method. Users can create a passkey on a separate device, for example, a mobile phone, and use it to sign in to their account on the device that doesn’t support security keys.

Security codes–Users can generate one-time use codes using a security key or a passkey on a platform that supports them. Both the device used with the security key or passkey to generate the security code and the device used to sign in with the security code need to be on the same network. The codes are valid for 15 minutes.

Security codes are optional for users in the Advanced Protection Program. The security code options are in the same place in the Admin console as the enrollment settings. Using security keys or passkeys directly is more secure than also using security codes, and we recommend that admins use caution when allowing users to use security codes.

By default, apps that require high-risk Gmail and Google Drive access are blocked. Exceptions are all Google apps, Apple native iOS apps, and the Mozilla Thunderbird mail client.

Users can be tricked into giving high-risk access to apps. The Advanced Protection Program is intended to protect the highest risk users, so we want to control this app phishing threat.

Admins can approve the access of certain connected apps. The Admin initialized list of approved apps is honored, and any app that is considered high-risk (see the previous answers) and not in the admin approved list is blocked.

Google first-party apps, including GCDS and GSPS, are allowed access without any admin action.

Advanced Protection Program users with the appropriate licenses get enhanced pre-delivery scans, and Security Sandbox is enabled. Enhanced pre-delivery scans are available for all editions. Security Sandbox is available only to Enterprise edition users.