High-risk Google users – journalists, human rights and civil society activists, but also campaign staffers and people in abusive relationships – can now take advantage of Google’s Advanced Protection Program to keep their account safe from extremely targeted attacks.
What is Advanced Protection?
“Advanced Protection provides Google’s strongest security, designed for those who are at an elevated risk of attack and are willing to trade off a bit of convenience for more protection of their personal Google Accounts,” says Dario Salice, Advanced Protection Product Manager.
Anyone with a consumer/persona Google Account can enroll in the program. They will need a physical security key – a small USB or wireless device that will provide additional user verification during the login process – and Google Chrome, as it’s the only browser that currently supports the U2F standard for security keys.
“We expect other browsers to incorporate this soon,” Salice noted.
Apart from the added anti-phishing protection introduced by the use of secure keys, the program also:
- Limits full access to users’ Gmail and Drive to specific apps, and
- Adds extra steps to the account recovery process (as hackers often try to impersonate targets and pretend they have been locked out of the target account.)
The drawbacks of the program
The program comes with some drawbacks.
As mentioned before, users can currently only use Chrome to sign-in to Google’s online services. Secondly, only Google-developed apps will be able to get full access to the users’ Google services, as others apps lack support for security keys. This might be a particular problem for iOS users who are used to Apple Mail, Contacts, and Calendar apps.
Finally, users should be aware that, should they lose access to their accounts and their security key, it could take them days to gain access to the account again due to the added verification requirements.
Google says that new security measures will continually be added to the program to counter emerging threats.
Industry reactions
“Google’s roll out of Advanced Protection comes as no surprise to me following the staggering number of high-profile hacking campaigns that have targeted Gmail in the recent years. It’s certainly a promising step in the right direction as the industry continues to battle with new phishing tactics,” says Richard Parris, CEO at British digital identity outfit Intercede.
“Despite this, one thing that stands out to me is that in the eternal battle between digital security and a painless user experience, Google’s new advanced program falls short on the convenience front. Being the patience-poor and fickle creatures that we are, unfortunately if a security measure compromises the end user experience it will almost certainly never be fully embraced by the mainstream.
“What’s needed is a level of security that is both secure and convenient to the end user and this can be done. There are highly secure, cost-effective and convenient solutions already available and these should be made an industry standard. Striking the right balance is the cornerstone to security success.”
While welcoming the option, Charl Van Der Walt, Chief Security Strategy Officer at cybersecurity consultancy SecureData, says that a very significant number of successful breaches are still achieved via a compromised desktop, mostly via a malicious document attachment.
“Undoubtedly Google will become far better at detecting and blocking such attachments, thereby better mitigating an additional threat vector not covered by these ‘advanced’ new controls. High profile users, however, should be aware that unauthorised access to their computer is as much a threat to email confidentiality as unauthorised access to Google itself and these new controls will do little to change this.”
His advice to them is to think hard about the platforms they use to access email and how they open attachments.
“Simple, limited-use platforms like a Chromebook or a tablet are generally safer to work from, but using a Yubikey with a tablet can be tricky, especially on iOS devices. This seems a pity, and looks to be a trade-off,” he noted.
“Something else to consider is that although preventing unauthorised remote access to email is part of the equation, there needs to be jurisdictional consideration also. Google itself might have access to email and contact data, and that given Google is a US company, the US government may be able to obtain access. This, however, is a ‘political’ consideration rather than a technical one,” he concluded.
