Google revealed the “Advanced Protection Program,” which aims to defend high-value targets or anyone who wants to maximize the security of their Google accounts. The program is a step above the typical two-factor authentication solution in terms of the level of security it offers, but it also comes with some compromises in terms of ease of use.
Protection Against Phishing
For starters, anyone who enrolls in the Advanced Protection Program will be required to use two physical security keys (one for main use and one for backup). One of Google’s senior security engineers, Adam Langley, has recently tested some of the better known hardware token options, and it seems that Yubico’s popular Yubikeys are the most secure.
Some older Yubikeys were impacted by Infineon’s TPM vulnerability recently, but Yubico said that most Yubikey customers should not be affected (opens in new tab). Additionally, the newer authentication protocols such as U2F were never affected by that vulnerability. Langley also previously said in his post that he could find no flaw in Yubikey’s U2F keys. This is not much of a surprise, considering Yubico is also one of the co-creators of the U2F standard.
The previous one-time password (OTP) method for two-factor authentication would generate a new random five- or six-digit code, and the user would have to input it to a login box on a service’s website. The new U2F method simply requires the user to plug the security key in the USB port and tap a button to generate a new public key that is then used by the service to authenticate you.
This solution is more resistant to phishing because it’s much harder for an attacker to compromise a hardware token. By comparison, an attacker could impersonate you to a carrier and then user your phone number to retrieve a two-factor authentication SMS code. If your smartphone has malware on it, codes generated by apps such as Google Authenticator could also be compromised.
Limit Third-Party App Access
Google has made it easier to integrate third-party services with Google accounts, but sometimes a user may allow a malicious app to access some sensitive emails or documents. For now, Google will limit access only to Gmail and Drive this way, but other apps and services will be supported in the future.
Protecting Against Impersonation
Sometimes, the attackers try to impersonate the victims whose accounts they’re trying to hack. They go to various services and pretend to be locked out so that someone from the firm lets them inside the account.
Google said that for users of the Advanced Protection Program, extra steps will be put in place to prevent attackers from hijacking an account. The steps include reviews and requests for more details about why they’ve lost access to their accounts. This will also apply to the users themselves if they ever lose their security keys.
Google has been testing this program with journalists and human rights and environmental activists over the past few weeks. The company said it has gained important feedback from people such as Andrew Ford Lyons, a Technologist at Internews, which is an international nonprofit organization that has supported the development of thousands of media outlets worldwide.
“Journalists, human rights defenders, environment campaigners and civil society activists working on any number of sensitive issues can quickly find themselves targeted by well-resourced and highly capable adversaries," said Lyons. "For those whose work may cause their profile to become more visible, setting this up could be seen as an essential preventative step," he added.
Starting today, anyone can enroll in the Advanced Protection Program, given they already have two U2F security key (either from Yubico (opens in new tab) or Feitian, as recommended by Google) and are able to use the Chrome browser. Chrome is currently the only browser that supports U2F authentication, but other browsers should start supporting it soon, too.