Google Has the Key to Keeping You Secure, But You Don’t Need It

Feb 27, 2019 · 7 min read
Image for post
Image for post
Google Titan Security Key Bundle

Google effectively ended phishing attacks on its employees, but its approach is not the best solution for everyone. Guemmy Kim with Google’s Account Security team explains.

By Max Eddy

Creating a perfect solution doesn’t matter if people won’t use it. That’s the fundamental conflict in security, and it’s one Guemmy Kim, product management lead for Google’s Account Security team, understands quite well.

In July 2018, Google announced that it had effectively ended phishing attacks on its employees by deploying simple hardware security keys. It followed that up by announcing that regular consumers could get the same features with its Advanced Protection program, as well as their own Google-branded security key. But while this all works great, it’s actually not for everyone, Kim says.

The Promise of Advanced Protection

Most non-famous people, Kim explains, will be targeted by automated attacks. These might have some degree of customization but are mostly shots in the dark, fired en masse at as many targets as the bad guys can manage. Advanced Protection will absolutely protect against these kinds of attacks, but its primary goal is to fend off bad guys with a specific target in mind.

This matters a lot. In security, we generally tell people that if a bad guy wants to go after you specifically, they’ll eventually succeed. Most security precautions are intended to thwart mass attacks and increase the cost in terms of time, money, or effort that it will take an attacker to achieve their goal. That breaks down when attackers have someone specific in mind, and especially when those attackers are backed by nation-state coffers.

Image for post
Image for post
YubiKey by Yubico

“With highly targeted individuals you see automated but you also see manual,” says Kim. These attacks are more dynamic and can change course when the attacker encounters a roadblock. Attackers are also aided by increasingly available, low-cost, and easy-to-use tools. “People are sharing knowledge — a helpful community, if you will, of attackers,” says Kim.

In a complex, targeted attack, you might see password phishing but you can also encounter malicious apps targeted specifically at you. Or malicious OAUTH attacks, which seek to trick you into granting a third party access to your account. These alternate methods to access an account is something Kim thinks about a great deal. “Security is not just about authentication, that’s only the front door into your account,” she says.

The most obvious difference with Google Advanced Protection is that it requires you to use hardware security keys like YubiKey or the Titan Security Key Bundle from Google. After you’ve entered your password, you use your key as part of a second authentication.

You may have heard of this referred to as two-factor authentication, or 2FA. It’s when you use two methods of authentication from a possible three: something you know, something you are, and something you have. A password is something you know, and a hardware security key is something you have.

Image for post
Image for post
YubiKey by Yubico

What happens if you lose your security key? Being locked out because you lost a 2FA identifier is a real concern, Kim confirms. That’s why Advanced Protection requires users to enroll two security keys: one for daily use, and another to be stored safely away as a backup.

Security keys, said Kim, are the best way to secure an account. “If people can’t get in the front door, they go in the backdoor through account recovery.” That’s when you click on the forgot my password option, and change your login credentials usually using instructions sent to you via email or some other method. But Advanced Protection users have to use their security key during account recovery, effectively eliminating this avenue.

Blocked at the back door, attackers may try the side window, which Kim says are OAuth requests. That’s when a third-party app asks to access some part of your account. Advanced Protection seals off OAuth requests by restricting access to sensitive data by third parties. The service also provides what Kim called a “deeper Gmail scan,” as well as other measures to ensure accounts stay secure.

This is all well and good, but Kim stresses that one of the hallmarks of a targeted attack is the dynamic changes. “The second big promise of advanced protection is that it’s a program and we’ll continue to evolve over time,” says Kim. “We need to stay ahead of that curve.”

Google, Kim explains, is in a good position to lead that kind of evolution. “Most of the people we’re protecting are not security experts, but Google is. We protect thousands of highly targeted individuals across the world, so we see those advanced techniques.” Advanced Protection will only get stronger over time.

Major Keys

Image for post
Image for post

But that wasn’t good enough. “At the end of the day, anything that depends on what the user knows can be phished,” said Kim. Attackers can, for example, create phishing pages to harvest login codes or intercept codes sent via SMS. Even backup codes, generated once by accounts and saved by the user as a fail-safe for regaining control of a locked account, can be phished.

Kim concedes that while most people will probably never be targeted for backup code phishing, a security key solves the phishing problem. Because the keys have a physical hardware element, they can cryptographically talk to the service and be verified.

The keys themselves are also resistant to attacks and tampering. “You can’t really mess with it. It’s not updatable [so] you can’t really compromise the key.”

By creating its own key, Google created a device that works best for its users. “We wanted to develop it in close partnership with the vendors but then adding Google’s secret sauce,” Kim says, declining to disclose what, exactly, is in that secret sauce.

But It’s Not for Everyone

“As an entire account security program, we are thinking of how to protect our huge user base of billions of users,” explains Kim. The problem is that a lot of these solutions can’t be applied to all those users in the same way. That requires Kim and her team to ask, “what is the audience, or user segment, we want to protect.”

“Sometimes, you’ll hear security advisers say sign up for [2FA]. I disagree with that,” says Kim. (Note: your author is definitely one of those people.) Some people may not want to download an authenticator app or pay for a key to log in to their ostensibly free account. Not to mention the learning curve required for 2FA systems, which takes time to set up and has to be used on a regular basis. It can all sound rather complicated, which can frustrate users and make them cynical, leading them to ignore security advice in general, Kim argues.

Kim’s goal is for her team to deploy more automated protections for everyone, but ones that most users won’t ever see. “When there is a risky event — signing in from a weird computer — we will dynamically determine that this is a risky event and we will provide challenges for the users,” she says. This approach allows Google to “protect billions of users way more effectively than [2FA].”

“With security, there’s always a trade-off between friction and availability,” says Kim. “For the most highly targeted users that actually are at a real security risk, that’s worth additional friction.”

Read more: “How to Set Up Google’s Advanced Protection Program

Originally published at

PC Magazine

PC Magazine: redefining technology news and reviews since…

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store