For some people, two-factor authentication just isn’t enough.
Google takes account security very seriously. You may be giving up more of your privacy than you like by using Google services and hardware, but that’s not the same thing as account security — and Google takes some pretty big steps to keep unauthorized users out of your account. The company also has some tools and policies designed to keep you from letting an unauthorized user in, like Chrome blocking websites that host malicious content. Google depends on you trusting them with your personal data as its business model. Playing fast and loose with security is a great way to lose that trust and Google knows it.
What Google can’t control is phishing and social engineering. It’s surprisingly easy to trick a lot of people into sending their account credentials by pretending to be a legitimate login or by claiming to need them to troubleshoot a problem. Random phishing attacks are in the news every now and then — and can happen to any one of us at any time — but some folks are at greater risk and are often targeted because of the data they might have access to. For those folks — politicians, journalists, activists, or any other high-profile public figure or executive — Google offers what it calls the Advanced Protection Program.
How does the Advanced Protection Program work?
Advanced Protection works by adding a physical identity layer to your account security through the use of security keys. This prevents a hacker or anyone from logging into your Google services even if they happen to have your password.
Advanced Protection provides a new way to prove that you are really you.
When you first sign-in to a webpage or app that acts as an access point to a Google service, you’ll need to authenticate using one of these physical keys. That means you need a key to sign into Gmail or Google Photos. It also means that if I send you an invite to a Google Doc that requires you to sign in, you’ll need the key. Same goes for any service that wants to access any part of your data that Google stores.
Advanced Protection also enhances Chrome’s real-time protection by automatically blocking a request for your Google account details unless it comes from the correct web server. If I build a site to try and trick you into entering your Google name and password, Advanced protection will refuse to connect through Chrome. And if you enable Advanced Protection, only Chrome will work to access your Google account data via the web.
What all this does is make sure that only a person with the right username, the right password, and the right security key in their hands can log into your Google account.
How much does it cost?
Advanced Protection is free, but you will need to purchase two security keys.
What is a security key?
A security key is a type of dongle. They are small devices that have electronics inside that can be part of a very strong authorization program, like Advanced Protection. When you insert a key into a USB port or activate it over Bluetooth or NFC, it sends a unique identifier to whatever software asked you to use the key. If that identifier is exactly the same as what the software expects, the check has passed.
For your Google account using Advanced protection, this replaces any two-factor authentication you may have enabled and you will be required to use the key(s) to authenticate instead. It’s not longer optional — it’s the only option.
You’ll need two keys to set up Advanced protection, and Google recommends these:
- Feitian MultiPass FIDO Security Key. This key works over Bluetooth, NFC, and USB on Android, iOS, Windows, Mac, and Linux. Because it uses Bluetooth it’s currently the only way to use Advanced protection on iOS, while Android can use both NFC and Bluetooth. This will be your main key and the one you keep with you.
- Yubico Security Key – U2F and FIDO2. This is your backup key and works on any computer with a USB port. It may work over USB on Android phones (with an adapter, of course), but you shouldn’t expect it to. You’ll put this key in a safe place in case you lose your main key.
Other security keys probably work, but these are what Google recommends as part of the program sign-up.
Drawbacks to Advanced Protection
Advanced protection is a dedicated security solution for people who need one. That means you’ll need to make compromises if you want to use it. In this case, that means you’re restricted to only using official Google apps for access to your account data.
Google can only allow apps they explicitly trust to access your account if you use Advanced Protection.
This means you’ll need to use Chrome instead of Firefox, Safari, or Edge. You’ll need to use the Google Gmail app, the Google Drive app, and all other official Google apps to access any of those services — third-party apps aren’t compatible. For iOS users, it means that the iOS mail, contacts, and calendar apps will not work when using a Google account secured with Advanced protection and the Google versions will need to be installed through the App Store. It also means that desktop programs like MailPlane or Outlook won’t work, and you’ll need to visit Gmail on the web, using Chrome. (It should go without saying that Chrome OS works just fine.)
This is because of trust. Not the kind of trust you or I mean when we loan a friend $5, but explicit trust from Google for an application to act on their behalf and present itself to you as Google would. It doesn’t mean that Google doesn’t trust Apple when it comes to Safari. It only means that the two companies haven’t worked together to make Safari 100 percent compatible with the program. Yet.
It’s very possible that more software will fall under this umbrella of trust in the future, or maybe none will. You just need to know before you begin that your favorite app might not work if you enable Advanced Protection.
Should I use Advanced Protection?
If you need to ask, the answer is probably no. I’m not saying this to look like an online elitist jerk, but because it’s true — Advanced Protection is a major overhaul to how you use your Google account and most of us don’t need it.
Google makes it clear that this is an option because high-profile public figures have been hacked and need a better way to keep their accounts safe. French President Emmanuel Macron, for example, would need Advanced Protection on his personal Google account (if he has one) but chances are nobody is targeting you or me and we don’t need it. But we could use it if we liked and outside of the listed restrictions, all of our data is as accessible as it ever was.
For most of us "regular" folk, a better option is a strong password and two-factor authentication. You can even use a security key for two-factor authentication if you like, but Advanced Protection is probably overkill for the average Joe or Jane.
August 10, 2018 at 07:00AM