• United States



Google Advanced Protection Program protects high-risk users from hacks

Oct 17, 20174 mins
Access ControlApplication SecurityGoogle

Google’s Advanced Protection requires physical keys to access a Google account, protects against phishing, blocks fraudulent access and limits access to your account to Google apps.

Instead of focusing on all users, Google set its sights on the minority who need the strongest security measures and today announced the launch of its Advanced Protection Program. The program goes beyond two-step verification by requiring a physical piece of hardware as a key to access your Gmail and other Google accounts; those who enroll will be trading convenience for added security.

Google rolled out the new security measure for the minority of its users who are at an elevated risk of cyberattack. In the company’s words:

We took this unusual step because there is an overlooked minority of our users that are at particularly high risk of targeted online attacks. For example, these might be campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety. Sometimes even the most careful and security-minded users are successfully attacked through phishing scams, especially if those phishing scams were individually targeted at the user in question.

If you have a personal Google Account, you can enroll using Chrome — and only Chrome, at least for now, as it supports the U2F standard and has done so since 2014. After enrolling, Google promises to “always use the strongest defenses that Google has to offer” and to “continually update” those security measures.

How to use Google Advanced Protection

To use Google Advanced Protection, you will need two Universal 2nd Factor (U2F) security keys, which have been approved by the FIDO Alliance. That means you will need a U2F USB key for your computer and one that can authenticate over Bluetooth for your mobile devices — phone, table and laptop. For example, Google suggests purchasing a Yubico FIDO U2F security key and a Feitian MultiPass FIDO security key. Once you have two U2F keys approved by the FIDO Alliance, you can turn on Advanced Protection.

Once Advanced Protection is on, your Google life will change. 2FA verification codes sent to your phone and the Google Authenticator app will no longer grant access to your account. If you accidentally fall for a phishing scam and enter your password, the attacker or social engineer can’t get into your account without the U2F keys.

If an attacker tries impersonation and uses the “forgot password” route, there are added steps for an Advanced Protection user to verify his or her identity. Google doesn’t specify what those extra steps will be other than “additional reviews and requests for more details about why you’ve lost access to your account.”

Furthermore, “if you ever lose access to your account and both of your Security Keys, these added verification requirements will take a few days to restore access to your account.”

Additionally, to prevent third-party malicious apps from gaining access your account, Google will automatically limit access to your Gmail and Drive to specific apps — especially its own for now. If you want to access your Gmail, then you have to use Chrome or the Gmail app. You will also have to use Chrome if you want to access your Photos or other signed-in Google services.

Personalized Google Security Checkup

To celebrate Cybersecurity Awareness Month, Google said it intends to launch a series of security announcements this week.

Yesterday, Google announced the launch of its revamped Security Checkup, which provides “personalized guidance to help you improve the security of your account.” Hopefully, you will see a green check mark next to each item in the list. If not, then you need to take care of the items marked with yellow or red exclamation points. The new and improved Security Checkup will evolve as new threats arise.

Google is also testing new predictive phishing protections in Chrome. If you input your Google password into a suspected phishing site, you might see a warning that states something similar like this: “This site may have just stolen your password.”

The company added, “We plan to expand predictive phishing protection to all other passwords you’ve saved in Chrome’s password manager, and [we plan to] enable other apps and browsers that use Safe Browsing technology, like Safari, Firefox and Snapchat, to use it as well.”

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.