Why and how I enrolled in Google’s Advanced Protection Program

Physical security keys are at the heart of the company’s efforts to protect high-profile targets

The Google what now? It sounds like something that a dark TV thriller might be built around, but actually it’s a cool way of upping the security surrounding your Google account. 

Google says its Advanced Protection Program (APP) “safeguards the personal Google Accounts of anyone at risk of targeted attacks – like journalists, activists, business leaders, and political campaign teams”. Until recently, I never considered myself a prime target for threat actors. Sure, I’ve been writing about cybersecurity for decades now and have a high profile – but only amongst geeks and readers of the various, admittedly a little geeky, publications my words appear in. 

Then I became a high-profile security writer and everything changed. All of a sudden I was much more in the public gaze with all that brings, good and bad. That bad has undoubtedly included more attention being paid to the security of my own online accounts. My web pages, so my firewall logs inform me, are under pretty constant attack from all the usual suspects in terms of country and attack types. I employ the best defences I can, of course, including two-factor authentication (2FA) everywhere it’s available. 

The one account that, despite using app-based 2FA, has always concerned me the most is Google. After all, get into your Google account and if you use Gmail or Google Drive or, well, the list goes on, and the data on offer is like gold dust to an attacker. Then I was advised by Google, as working in an “at risk” occupation, to join the APP. So I did. 

So, what’s involved? Actually, it’s simple. APP pushes the whole 2FA thing one step further, requiring the user to use a physical security key. That can either be a Google Titan hardware key or a Yubico key (Titans are made by Yubico anyway) or the one in your Android phone. I opted for the former as I wanted a level of separation that took me away from the phone in my pocket. The key Google refers to is the one built into Android 7 and above devices; or, for users of an iPhone running iOS 10 or above, the one that becomes available with the Google Smart Lock app.

Obviously, the phone key is the easiest and cheapest route, and should be secure enough for most people. I’m not most people, though, and wanted the extra confidence that a hardware key brings. I opted for the Titan keys (you need two) rather than Yubico as I have already used those and wanted to see how easy the Google ones were to use. The answer? Very easy indeed. 

You need two both to provide a backup and to allow for wireless and USB usage depending on the device from which you need to authenticate your account. That means coughing up £50 for the pair, which is cheap if you consider how valuable access to your account really is. 

Once your keys are registered with Google and signed up with APP, your other second-factor authentication methods no longer work – which is a good thing, obviously. Nor, for that matter, do most third-party apps that require access to Gmail or Drive for some of their functionality. Oh, and you can only access Gmail or Photos using a Chrome or Firefox browser. All of which sounds like stink, but it’s the trade-off for better security and worth every bit of it in my opinion. APP only allows Google apps, and “select third-party apps” such as Apple Mail, Calendar and Contacts, or Mozilla Thunderbird, to access your emails and Drive files.

What you get is a much-hardened account, meaning one typical route to compromise is blocked: account reactivation. Google says: “If you ever lose access to your account and both of your security keys, these added verification requirements will take a few days to restore access to your account.” Again, a pain in the rectum, but a worthwhile one if you take your security seriously. Another pain is being signed out of your account and everything connected to it and having to sign in again on all devices using the keys. Again, worth the short-term hassle for the long-term gain. 

Seriously, go and take a look. Decide not if you need to sign up, but if you can afford not to

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Iranian hacking group continues to target US citizens
hacking

Iranian hacking group continues to target US citizens

18 Oct 2021
Ennoconn and Google Cloud enter a strategic alliance
Cloud

Ennoconn and Google Cloud enter a strategic alliance

14 Oct 2021
Google Workspace adds Jira and AppSheet integrations
collaboration

Google Workspace adds Jira and AppSheet integrations

13 Oct 2021
Google Cloud reveals edge-focused Distributed Cloud portfolio
cloud computing

Google Cloud reveals edge-focused Distributed Cloud portfolio

13 Oct 2021

Most Popular

Alibaba unveils custom Arm-based server chip
components

Alibaba unveils custom Arm-based server chip

19 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021
What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021