Why and how I enrolled in Google’s Advanced Protection Program

Physical security keys are at the heart of the company’s efforts to protect high-profile targets

The Google what now? It sounds like something that a dark TV thriller might be built around, but actually it’s a cool way of upping the security surrounding your Google account. 

Google says its Advanced Protection Program (APP) “safeguards the personal Google Accounts of anyone at risk of targeted attacks – like journalists, activists, business leaders, and political campaign teams”. Until recently, I never considered myself a prime target for threat actors. Sure, I’ve been writing about cybersecurity for decades now and have a high profile – but only amongst geeks and readers of the various, admittedly a little geeky, publications my words appear in. 

Then I became a high-profile security writer and everything changed. All of a sudden I was much more in the public gaze with all that brings, good and bad. That bad has undoubtedly included more attention being paid to the security of my own online accounts. My web pages, so my firewall logs inform me, are under pretty constant attack from all the usual suspects in terms of country and attack types. I employ the best defences I can, of course, including two-factor authentication (2FA) everywhere it’s available. 

The one account that, despite using app-based 2FA, has always concerned me the most is Google. After all, get into your Google account and if you use Gmail or Google Drive or, well, the list goes on, and the data on offer is like gold dust to an attacker. Then I was advised by Google, as working in an “at risk” occupation, to join the APP. So I did. 

So, what’s involved? Actually, it’s simple. APP pushes the whole 2FA thing one step further, requiring the user to use a physical security key. That can either be a Google Titan hardware key or a Yubico key (Titans are made by Yubico anyway) or the one in your Android phone. I opted for the former as I wanted a level of separation that took me away from the phone in my pocket. The key Google refers to is the one built into Android 7 and above devices; or, for users of an iPhone running iOS 10 or above, the one that becomes available with the Google Smart Lock app.

Obviously, the phone key is the easiest and cheapest route, and should be secure enough for most people. I’m not most people, though, and wanted the extra confidence that a hardware key brings. I opted for the Titan keys (you need two) rather than Yubico as I have already used those and wanted to see how easy the Google ones were to use. The answer? Very easy indeed. 

You need two both to provide a backup and to allow for wireless and USB usage depending on the device from which you need to authenticate your account. That means coughing up £50 for the pair, which is cheap if you consider how valuable access to your account really is. 

Once your keys are registered with Google and signed up with APP, your other second-factor authentication methods no longer work – which is a good thing, obviously. Nor, for that matter, do most third-party apps that require access to Gmail or Drive for some of their functionality. Oh, and you can only access Gmail or Photos using a Chrome or Firefox browser. All of which sounds like stink, but it’s the trade-off for better security and worth every bit of it in my opinion. APP only allows Google apps, and “select third-party apps” such as Apple Mail, Calendar and Contacts, or Mozilla Thunderbird, to access your emails and Drive files.

What you get is a much-hardened account, meaning one typical route to compromise is blocked: account reactivation. Google says: “If you ever lose access to your account and both of your security keys, these added verification requirements will take a few days to restore access to your account.” Again, a pain in the rectum, but a worthwhile one if you take your security seriously. Another pain is being signed out of your account and everything connected to it and having to sign in again on all devices using the keys. Again, worth the short-term hassle for the long-term gain. 

Seriously, go and take a look. Decide not if you need to sign up, but if you can afford not to

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

Apple reportedly ramps up search engine development
iOS

Apple reportedly ramps up search engine development

29 Oct 2020
CEOs of Facebook, Twitter and Google face Senate hearing
Policy & legislation

CEOs of Facebook, Twitter and Google face Senate hearing

28 Oct 2020
DoJ charges Google with multiple antitrust violations
Policy & legislation

DoJ charges Google with multiple antitrust violations

20 Oct 2020
Killed by Google
business apps

Killed by Google

20 Oct 2020

Most Popular

Do smart devices make us less intelligent?
artificial intelligence (AI)

Do smart devices make us less intelligent?

19 Oct 2020
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020
What is Neuralink?
Technology

What is Neuralink?

24 Oct 2020