Advanced Protection Program locks down Google accounts

Google's Advanced Protection Program greatly increases the security of user accounts, but the usability tradeoffs may not be worth it for average users.

The latest Google multifactor authentication service aims to protect high-risk users from targeted attacks, but it will add complexity to logins.

Google's Advanced Protection Program has been designed to help keep users safe from phishing attacks, such as spear phishing, and it prevents unauthorized access to Gmail accounts by having users take advantage of physical security keys -- like a YubiKey -- for authentication.

"Journalists, human-rights defenders, environment campaigners and civil society activists working on any number of sensitive issues can quickly find themselves targeted by well-resourced and highly capable adversaries," Andrew Ford Lyons, a technologist at Internews, based in Arcata, Calif., said in Google's announcement post. "For those whose work may cause their profile to become more visible, setting this up could be seen as an essential preventative step."

Google's Advanced Protection Program could help to prevent some types of cyberattacks seen over the past couple years, including the phishing schemes that compromised the Gmail account of Hillary Clinton's campaign chairman, John Podesta, or the Google Docs phishing attack.

According to Google, the Advanced Protection Program focuses on three areas of defense: using a security key for multifactor authentication, limiting third-party app access to Gmail and Google Drive, and mitigating fraudulent account access by adding steps to the account-recovery process.

Google warned that third-party mobile apps, like Apple Mail, Calendar and Contacts, "do not currently support security keys and will not be able to access your Google data," so Advanced Protection Program users would need to use Google's first-party apps for now.

Two-factor authentication

How the Google Advanced Protection Program works

Google has supported security keys for multifactor authentication in the past and has an option to use mobile devices as a multifactor device. But the Advanced Protection Program is far more strict, because there will be no backup options with SMS or stored authentication codes.

For those whose work may cause their profile to become more visible, setting this up could be seen as an essential preventative step.
Andrew Ford Lyonstechnologist at Internews

Users will only be able to log in to Google accounts with their password and registered security keys. If a security key is lost, the account recovery will be more onerous than answering simple security questions, but Google has yet to provide details on what such a recovery process will entail.

Although anyone can enroll in the Advanced Protection Program, Google admitted in its blog post that it would be best for those who "are willing to trade off a bit of convenience for more protection of their personal Google Accounts."

At the start, the Advanced Protection Program requires the use of the Chrome browser and two security keys that support the FIDO U2F standard -- one to connect to a traditional computer via USB port and one for mobile devices using Bluetooth.

The former isn't as troublesome, but users need to be careful about the security key used for mobile. Google's support page suggested purchasing the Feitian MultiPass Bluetooth security key, which appears to be in limited supply on Amazon, as of this post, but a Bluetooth security key is only necessary for those using iOS devices or an Android device that doesn't support Near Field Communication for wireless access. An NFC-enabled security key would work for those with NFC-capable Android devices.

Next Steps

Learn how the FIDO authentication standard could signal the passing of passwords.

Find out what enterprises need to know about the FIDO authentication framework.

Get info on the DNC hacks that might have been prevented with multifactor authentication.

Dig Deeper on Identity and access management