These days it seems you can’t go a few days or maybe hours before hearing about having online accounts being hacked or breached. For a lot of us, our Google account is one of the most important parts of our online identity. While you can already use things like 2-factor authentication to protect yourself, Google Advanced Protection takes it to a whole new level!
What Is It?
Intended for highly targeted individuals such as celebrities, reporters, and dissidents, Google Advanced Protection provides what Google describes as their strongest security solution available. In fact, they believe in it so much that they have implemented effectively the same thing for all their employees for many years now as well.
At a high level, it takes a lot of the features of enabling 2-factor authentication but makes it more robust by requiring physical keys rather than codes that are normally used. While the keys are part of an industry standard Universal 2nd Factor (U2F), Google actually sells them from their own store as the Google Titan kit.
In principle, 2-factor authentication is based on the idea of having multiple factors to reduce the chances of a bad actor getting access to your account. In most cases, the 2 factors are something you know (your password) and something you have (a code). The problem is that many times people get the 2nd factor as a code delivered via SMS which is prone to and lately been attacked by something known as SIM swapping. This means if you use your SMS to get a 2nd-factor code it is vulnerable to being stolen which gives people access to your account. With Google Advanced Protection the only option for this 2nd factor is an actual physical key that you have in your possession. They ship two in their kit, one which uses Bluetooth (and can do USB via a cable) and one that is just USB. Both can be registered to your account so you have a backup in case you lose one.
The three key ways that Google Advanced Protection differs from standard security measures are:
- Whenever you sign-in to a device for the first time, you need your password and a physical security key. This means you don’t use an app to generate a code or get a code via SMS. The only mechanism is the physical keys that are registered to your account. So in order for someone to hack your account they would need your password and have actual physical access to your key. There is no way for them to remotely get to your key or hack it via software.
- Google will also limit the services that can access your data when you turn on the feature. This is something that is very important to understand before you decide to go down this path. I’ve had Google Advanced Protection enabled for over a year and have not run into any issues but it might cause issues if you use third-party services or apps to access your Google account on a regular basis. You can disable the feature if necessary
- Finally, if you lose your keys or need to recover your account Google supposedly will go through extra steps to verify your identify before giving someone access. This means if someone pretends to be you they will have a harder time to convince Google that they are actually the person they are trying to impersonate. Google is purposely vague on what these steps are but they do mention that account recovery can take several days if you have Google Advanced Protection enabled. This is something else to keep in mind.
Google has a very handy FAQ on Google Advanced Protection that goes into details about some of the limitations and workarounds available with the feature enabled.
How to Set It Up
The video above is a nice 2-minute video that walks you through how to turn the feature on. Apart from signing up for the service, you will need to have 2 security keys that are U2F compliant. One that has Bluetooth so can connect to mobile devices and one that is USB. As mentioned, Google sells their own version branded as Google Titan Kit from their store for $50 and I highly recommend just using those as that’s what they issue to all their employees as well.
Once you receive your keys you can hit the Get Started on this page and Google will walk you through the process of setting the feature on your account. It should take maybe 5-10 minutes to complete and then you’re done.
Why Is It Important?
There are many reasons to protect your Google account. Maybe you use it as a way to authenticate to other services using the “Sign in With Google” button or something similar? Even if you don’t, if your Gmail address is your main email address then it is also the recovery address for any account you use with that email. So if an attacker can get into your Gmail they can go to all the associated services you might be using such as your banks, social media accounts, and others to do a password reset and just use the email that comes to your Gmail to change the password.
Google Advanced Protection gives you the best chance of keeping your account safe but it does come with some caveats. If you lose your physical keys and you have no devices already signed-in to your account you will have to work with Google to recover access and it can take days. If you need to sign-in somewhere and you forget your keys at home or somewhere you’re not you will not be able to access your account. If your key doesn’t work or is faulty there’s no backup at all you either have to work with Google to recover your account or find a way to get a key to work.
This might all seem a bit extreme and it does require some level of responsibility on the users part to make sure they carry a key with them and keep one in a safe but the peace of mind it brings knowing your account and all the associated emails, photos, files, and other data is safe is worth the extra effort!