IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Why and how I enrolled in Google’s Advanced Protection Program

Physical security keys are at the heart of the company’s efforts to protect high-profile targets

The Google what now? It sounds like something that a dark TV thriller might be built around, but actually it’s a cool way of upping the security surrounding your Google account. 

Google says its Advanced Protection Program (APP) “safeguards the personal Google Accounts of anyone at risk of targeted attacks – like journalists, activists, business leaders, and political campaign teams”. Until recently, I never considered myself a prime target for threat actors. Sure, I’ve been writing about cybersecurity for decades now and have a high profile – but only amongst geeks and readers of the various, admittedly a little geeky, publications my words appear in. 

Then I became a high-profile security writer and everything changed. All of a sudden I was much more in the public gaze with all that brings, good and bad. That bad has undoubtedly included more attention being paid to the security of my own online accounts. My web pages, so my firewall logs inform me, are under pretty constant attack from all the usual suspects in terms of country and attack types. I employ the best defences I can, of course, including two-factor authentication (2FA) everywhere it’s available. 

The one account that, despite using app-based 2FA, has always concerned me the most is Google. After all, get into your Google account and if you use Gmail or Google Drive or, well, the list goes on, and the data on offer is like gold dust to an attacker. Then I was advised by Google, as working in an “at risk” occupation, to join the APP. So I did. 

So, what’s involved? Actually, it’s simple. APP pushes the whole 2FA thing one step further, requiring the user to use a physical security key. That can either be a Google Titan hardware key or a Yubico key (Titans are made by Yubico anyway) or the one in your Android phone. I opted for the former as I wanted a level of separation that took me away from the phone in my pocket. The key Google refers to is the one built into Android 7 and above devices; or, for users of an iPhone running iOS 10 or above, the one that becomes available with the Google Smart Lock app.

Obviously, the phone key is the easiest and cheapest route, and should be secure enough for most people. I’m not most people, though, and wanted the extra confidence that a hardware key brings. I opted for the Titan keys (you need two) rather than Yubico as I have already used those and wanted to see how easy the Google ones were to use. The answer? Very easy indeed. 

You need two both to provide a backup and to allow for wireless and USB usage depending on the device from which you need to authenticate your account. That means coughing up £50 for the pair, which is cheap if you consider how valuable access to your account really is. 

Once your keys are registered with Google and signed up with APP, your other second-factor authentication methods no longer work – which is a good thing, obviously. Nor, for that matter, do most third-party apps that require access to Gmail or Drive for some of their functionality. Oh, and you can only access Gmail or Photos using a Chrome or Firefox browser. All of which sounds like stink, but it’s the trade-off for better security and worth every bit of it in my opinion. APP only allows Google apps, and “select third-party apps” such as Apple Mail, Calendar and Contacts, or Mozilla Thunderbird, to access your emails and Drive files.

What you get is a much-hardened account, meaning one typical route to compromise is blocked: account reactivation. Google says: “If you ever lose access to your account and both of your security keys, these added verification requirements will take a few days to restore access to your account.” Again, a pain in the rectum, but a worthwhile one if you take your security seriously. Another pain is being signed out of your account and everything connected to it and having to sign in again on all devices using the keys. Again, worth the short-term hassle for the long-term gain. 

Seriously, go and take a look. Decide not if you need to sign up, but if you can afford not to

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Here’s the first look at Google’s new Bay View campus
Business operations

Here’s the first look at Google’s new Bay View campus

17 May 2022
Google offers UK SMBs £87,000 scholarships to boost tech skills
Careers & training

Google offers UK SMBs £87,000 scholarships to boost tech skills

10 May 2022
Google Cloud confirms it is building a dedicated team to support Web3 developers
Cloud

Google Cloud confirms it is building a dedicated team to support Web3 developers

9 May 2022
Apple, Google, Microsoft expand their support for password-less sign-ins
cyber security

Apple, Google, Microsoft expand their support for password-less sign-ins

6 May 2022

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022