Here’s How Google’s Ultimate Account Protection Works, and Why You Might Need It

Here's How Google's Ultimate Account Protection Works, and Why You Might Need It thumbnail

Image: Google

There are the standard ways you can protect your Google account—choosing a strong password, setting up two-factor authentication (2FA)—and then there’s the top tier, the Advanced Protection Program. It’s designed to be the ultimate in account security, and we’ll explain here how to enable it, and why you might want to.

It’s not something we’d recommend for everyone, or even for most people. It makes logging into your Google account more difficult, especially on devices you’ve never used or use intermittently; and it takes time to set up in the first place. This extra complexity adds extra security, but improved security often means extra inconvenience too.

Google describes the Advanced Protection Program as being for anyone at “risk of targeted attacks”—including, but not limited to, journalists, activists, business leaders, and political campaign teams. Anyone with a Google account can apply for this advanced protection, but those are the groups of people that are going to benefit from it most.

First, the Advanced Protection Program applies two-factor authentication, which means you need to first sign in with a password and then authenticate the login attempt with a second device. So far so standard, but in this case, you must use a physical key (such as a phone or a USB key) rather than an SMS code or authenticator app. If you’ve been getting two-factor validation via text or in an authenticator app, and you sign up for the Advanced Protection Program, those old 2FA methods will no longer work.

Image: Google

Physical keys can be an Android phone running Android 7.0 or later, an iPhone with Google Smart Lock installed, or a physical security key like Google’s own Titan Security Keys ($40 and up), which work over Bluetooth, NFC and USB to validate your identity. Obviously don’t leave these keys lying around where potential hackers might find them, as that would defeat the whole point.

What’s more, you need two of these physical keys rather than just one to log in on new devices for the first time (three-factor authentication!). You don’t need both keys every time—one is really just a backup in case the first one is lost or compromised somehow—but you do need to have two registered to your account at all times.

That’s the most important part of the Advanced Protection Program, but it has other components as well. Activating the feature also means third-party apps are limited in terms of the data they can access from your Google account, especially when it comes to Gmail and Google Drive data.

Limiting the number of external apps and accounts connected to your Google account is a good idea anyway, but the Advanced Protection Program polices this more aggressively and will kick out third-party services that have their claws too deep into your Google data. For example, apps that access your Google account with a temporary password to get around two-factor authentication will be blocked, for example.

Image: Google

The iOS Mail app and WhatsApp backups seem to be rare exceptions allowed by the Advanced Protection Program, so you’ll be able to carry on using those. For the moment, Nest apps and devices are incompatible, though Google says it’s working on it. See? The extra security does come at an extra cost in terms of convenience.

If you rely heavily on apps that are plugged into your Google account but aren’t actually made by Google, it’s a good idea to check for compatibility with the Advanced Protection Program before you turn it on, otherwise, you might find certain bits of functionality are broken, or that apps get disconnected entirely.

The Advanced Protection Program also locks down another potential avenue that hackers can use to get into your account—the account recovery progress. If unauthorized users know a little bit about you and get access to your email, they can sometimes reset your Google password, effectively locking you out of your account.

With the extra security protection enabled, Google is more cautious when it comes to resetting access to an account: It takes additional steps to verify that you are who you say you are, should you lose access to both of your security keys and need to get back in. While it’s not clear exactly what these additional steps are, we’d guess that it involves verifications like photo ID and a physical mailing address that are hard to spoof.

Screenshot: Gizmodo

Again, it’s a security and convenience trade-off. Chances are you’ll never have to initiate the account recovery process unless you lose your physical security keys, but if you do, it’ll take a while longer to get back to your data. It’s something else to bear in mind before making the jump to the Advanced Protection Program.

If you do decide to upgrade, it’s free and open to anyone, but make sure you have your two physical keys ready before you start the registration process here. Note that you’ll be signed out of everywhere that you’re signed into Google, and you’ll need your newly registered security keys as well as your password to log back in again.

For the vast majority of users, common sense and two-factor authentication should be enough to keep your Google account safe, and the added hassle (breaking Nest account connections and so on) won’t be worth the extra protection. Remember too that you can add physical security keys to your Google account without signing up for the Advanced Protection Program.

If you think you do need this additional layer of security, by all means give it a try. Bear in mind that you can opt back out of the Advanced Protection Program at any time if you decide it’s not for you, though your physical security keys will remain registered to your account (you can go on to remove them if you’d rather go back to the standard two-factor authentication process).

Read More