An Introduction to Google Advanced Protection
Google has stepped up the account security game. Is it right for you?
Introduction
Google introduced Advanced Protection in October 2017. This new feature makes corporate-level security available to individual users’ Google accounts, free of charge. But as with every security product, there are convenience drawbacks to increasing your security. In this article, I explain what Advanced Protection is, how it works, and offer thoughts for your consideration on whether this feature is right for you.
What is it?
Basically, Advanced Protection requires you to have a physical key to sign into your Google account, when accessing it form a new device or browser. If you use the service, you will have to carry around a USB / NFC / Bluetooth dongle on your keys at all times.
Some readers will be familiar with the concept. It is a common practice in large companies to give employees physical “keys” or “tokens” for remote access to corporate servers. These devices generate “one-time passwords” (OTP) that continuously change, so that the employee can access the network once, but the code cannot be stolen and reused subsequently.
Why did Google create Advanced Protection?
There are many ways to have your information compromised online. One of the most damaging is to have an attacker gain access to your email address.
“But why?! Who wants to see my chit-chat emails with my extended family? I’m not a spy, I don’t have anything to hide.”
For many people, your email account is the central node to all of your online activity. Banks use email for important communications. Many websites use emails as default usernames. And if you ever forget your password to one of these websites, you can reset it through a link sent via email. Email is the holy grail. If an attacker gains control of your email, they can request password resets for all of the websites linked to that email address.
You’ve probably heard of Phishing by now. It’s when a hacker sends you a fraudulent email, or other communication, with the goal of infecting your system, stealing your password, or, if you’re lucky, just rickrolling you. The key aspect that we’re concerned with for this article is what to do when they steal your password.
“I don’t need to worry. I don’t click suspicious links and I have a strong password!”
Attackers can compromise an email account without ever knowing your password. If they can learn enough information about you they can impersonate you and act as if they’re “locked out” of your account. Advanced Protection makes this more difficult by implementing an extended verification process.
“But I activated Two-Factor Authentication. Every time I go to log into my email account, Google sends me a 6-digit code by text message. That’s secure, right?”
Two-Factor Authentication (2FA) is a great first step. This is an added layer attempting to verify that it is you logging in. If your username and password are stolen (e.g. from a keylogger or from another company’s data breach), the attacker cannot gain access to your account without also having access to your text messages.
However, 2FA by SMS is not secure. For one, SMS is plain text, not encrypted. More dedicated attackers may be able to steal your phone number outright, by impersonating you to your phone provider, and having your number assigned to a SIM card under their control. See this great article in Wired for more information.
“I know about SMS vulnerabilities, so I use a One-Time Password (OTP)-generating app.”
Better. Applications like Google Authenticator and Authy improve your security by generating access codes offline. The algorithm generating the code is synced with a server that is also calculating the code. However, these OTP applications could be on a compromised device. These codes could be stolen and transmitted to a sophisticated attacker that has managed to compromise your phone or they could relay a code that you’re inputting into a spoofed site.
Google’s Advanced Protection goes a step further. It only allows a physical key as your second factor. The cryptographic hardware of the physical keys actively participate in the authentication process.
“But what if someone steals my physical key? Would they get access to my account?”
Your account is still username and password-protected. The risk of account compromise should be low if you have a strong unique password protecting your Google account. For most people, the risk of losing the physical key is higher than it getting stolen. For this reason, Google requires you to register a backup physical key.
Although no system can ever be “100% secure”, Advanced Protection can immunize you from remote attacks by mandating a physical key.
Who should use it?
Per Google, the users who stand to benefit most are those who are most likely to be personally targeted — “journalists, activists, business leaders, and political campaign teams.”
However, every day users can also take advantage of these protections. The main trade-off is between convenience and security. It is important to remember: we use physical keys every day, to unlock cars, houses and file cabinets. The question you should ask your self is: how much is the most important part of your digital identity worth to you? What trade-offs would you be willing to make?
The technical ramifications and functionality
Advanced Protection requires the user to carry a physical key with cryptographic hardware. There are two basic types of keys: a straightforward USB plug-in, and a USB plug-in that also supports mobile and tablet devices via Near Field Communication (NFC) or Bluetooth technology. The user sets up Advanced Protection by purchasing two physical keys and linking her Google account to the “private [software] keys” contained within these devices. At every subsequent login, the user must use one of the physical keys (USB, NFC, or Bluetooth) in order to access her Google account. No user or system can access your Google account without your key. If you lose both keys the account recovery process is more strenuous than the already complicated account recovery process!
As an additional security measure, access to your Gmail and Google Drive information (Google Docs, Google Forms, etc.) is only accessible via Google approved applications. At this time, this is limited to Google’s own applications. For laptop and iOS users, this means that you are limited to Google applications such as Google Drive, Chrome, and Gmail. (at this time iOS apps do not currently support Advanced Protection — leave us a comment if this changes, and we will update).
This also means that third-party apps will not be able to access Gmail, Google Drive or other core Google account information. This will affect different apps depending on their level of access. To see how it may affect the apps you use visit https://myaccount.google.com/permissions. Apps that use Google for sign-in only, like Slack or meetup.com, will not be affected.
On the other hand, apps like WhatsApp that require more permissions will be blocked from accessing your Google information. Google cannot control their servers or what data they view/add to/remove from your account — and they solve this fundamental insecurity by blocking it.
Here is Google’s fact sheet on the changes that come with Advanced Protection :
Repeating a point for emphasis: At the current time, only google applications are compatible with Advanced Protection. Users will not be able to access their Gmail or Drive via their favorite, non-Google clients. For some, this may be a dealbreaker.
How to implement Advanced Protection:
If you think Advanced Protection might be for you, this is how you set it up.
The setup process is simple; Google walks you through all of the steps. I’ll give an overview here, and provide a few comments. In terms of costs, Google’s Advanced Protection service is free, and you should be able to purchase a set of physical keys for under $100.
First, you need to be the proud owner of two FIDO certified universal second factor (U2F) devices. At least one must support contactless communication such as Near Field Communication (NFC) or Bluetooth. This will be your primary key because it can work on both your computer and your phone. Google recommends the Feitian MultiPass FIDO Security Key. I personally like the Yubico keys, and if you use an Android phone, you can use a Yubico NEO as your primary key.
Google will walk you through enrolling them. You will carry the key that supports contactless communication around with you. You should store the backup key in a safe location.
In Conclusion:
Google Advanced Protection is certainly not for everybody. As with all security options, the major trade off every user has to consider is security versus convenience.
In my view, given how critical our email is and how sensitive the files stored in our Google Drive can be, this is a great service.
Hopefully this has provided some guidance surrounding why you may want to consider enabling Google’s Advanced Protection, what the ramifications are, and how you’d go about doing it.
If there are any questions or comments, please leave them below. Stay safe out there!
