Why and how I enrolled in Google’s Advanced Protection Program

Physical security keys are at the heart of the company’s efforts to protect high-profile targets

The Google what now? It sounds like something that a dark TV thriller might be built around, but actually it’s a cool way of upping the security surrounding your Google account. 

Google says its Advanced Protection Program (APP) “safeguards the personal Google Accounts of anyone at risk of targeted attacks – like journalists, activists, business leaders, and political campaign teams”. Until recently, I never considered myself a prime target for threat actors. Sure, I’ve been writing about cybersecurity for decades now and have a high profile – but only amongst geeks and readers of the various, admittedly a little geeky, publications my words appear in. 

Advertisement - Article continues below

Then I became a high-profile security writer and everything changed. All of a sudden I was much more in the public gaze with all that brings, good and bad. That bad has undoubtedly included more attention being paid to the security of my own online accounts. My web pages, so my firewall logs inform me, are under pretty constant attack from all the usual suspects in terms of country and attack types. I employ the best defences I can, of course, including two-factor authentication (2FA) everywhere it’s available. 

The one account that, despite using app-based 2FA, has always concerned me the most is Google. After all, get into your Google account and if you use Gmail or Google Drive or, well, the list goes on, and the data on offer is like gold dust to an attacker. Then I was advised by Google, as working in an “at risk” occupation, to join the APP. So I did. 

Advertisement - Article continues below
Advertisement - Article continues below

So, what’s involved? Actually, it’s simple. APP pushes the whole 2FA thing one step further, requiring the user to use a physical security key. That can either be a Google Titan hardware key or a Yubico key (Titans are made by Yubico anyway) or the one in your Android phone. I opted for the former as I wanted a level of separation that took me away from the phone in my pocket. The key Google refers to is the one built into Android 7 and above devices; or, for users of an iPhone running iOS 10 or above, the one that becomes available with the Google Smart Lock app.

Obviously, the phone key is the easiest and cheapest route, and should be secure enough for most people. I’m not most people, though, and wanted the extra confidence that a hardware key brings. I opted for the Titan keys (you need two) rather than Yubico as I have already used those and wanted to see how easy the Google ones were to use. The answer? Very easy indeed. 

You need two both to provide a backup and to allow for wireless and USB usage depending on the device from which you need to authenticate your account. That means coughing up £50 for the pair, which is cheap if you consider how valuable access to your account really is. 

Advertisement - Article continues below

Once your keys are registered with Google and signed up with APP, your other second-factor authentication methods no longer work – which is a good thing, obviously. Nor, for that matter, do most third-party apps that require access to Gmail or Drive for some of their functionality. Oh, and you can only access Gmail or Photos using a Chrome or Firefox browser. All of which sounds like stink, but it’s the trade-off for better security and worth every bit of it in my opinion. APP only allows Google apps, and “select third-party apps” such as Apple Mail, Calendar and Contacts, or Mozilla Thunderbird, to access your emails and Drive files.

What you get is a much-hardened account, meaning one typical route to compromise is blocked: account reactivation. Google says: “If you ever lose access to your account and both of your security keys, these added verification requirements will take a few days to restore access to your account.” Again, a pain in the rectum, but a worthwhile one if you take your security seriously. Another pain is being signed out of your account and everything connected to it and having to sign in again on all devices using the keys. Again, worth the short-term hassle for the long-term gain. 

Seriously, go and take a look. Decide not if you need to sign up, but if you can afford not to

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now


Google Android

Google Maps celebrates Global Accessibility Awareness Day with Accessible Places

22 May 2020
Policy & legislation

Justice Department likely bringing an antitrust lawsuit against Google

18 May 2020
Mobile Phones

Google’s Pixel team shaken up after disappointing Pixel 4 launch

14 May 2020
Google Android

Google Pixel 4 review: Delight and frustration

13 May 2020

Most Popular


The top ten password-cracking techniques used by hackers

5 May 2020

Nokia breaks 5G record with speeds nearing 5Gbps

20 May 2020
cloud computing

Microsoft launches public cloud service for health care

21 May 2020