Users who don’t mind giving up convenience and ease of use for better online security can now take advantage of a new Advanced Protection Program from Google.
The program is designed specifically for people who are at elevated risk of having their email and other online accounts broken into or spied upon. Google is targeting the enhanced online security service to journalists, election campaign staffers, human rights advocates, high net worth individuals, top corporate executives and others who are inviting targets for hackers, and cyber-spies.
People, who enroll for the program will get what Google describes as the strongest online account protection that the company has to offer. In order to log into a Gmail, Google Drive or YouTube account for instance, a user who has signed up for the program will need to use a special USB key or wireless device.
Instead of simply typing in a password, users will be required to insert a USB key into a computer port or use a wireless Bluetooth Low Energy (BLE) dongle for mobile access. The mandatory two-factor authentication step is required to ensure that an attacker could not access a Google account with merely a password, said Dario Salice, advanced protection product manager at Google in a company blog Oct. 17.
All non-Google applications and services will be heavily restricted in their ability to access or interact with a user’s Gmail or Google Drive account. In fact, for the moment at least, only Google’s own applications will be allowed full access to a user’s Gmail and Drive. Google will eventually loosen this restriction to allow other applications access as well Salice said, without indicating when that would happen.
The goal in imposing this restriction is to prevent malicious third-party applications from inadvertently accessing data in a user’s Google account. For example In May thousands of Google users became victims of a phishing attack when they were lured into clicking on what appeared to be a Google Docs document. Users who opened the document essentially gave attackers permission to access their entire address book and send phishing emails to all their contacts.
Password and account recovery will also be a lot harder for people who opt-in for Google’s Advanced Protection Program. Attackers commonly try to gain access to a user’s account by impersonating the user and pretending they have been locked out so they can have a recovery password sent to them. To mitigate this risk, Advanced Protection users will be subjected to reviews and requests for additional information on why they might have lost access to their account.
Google has been testing Advanced Protection for the past several weeks and is now rolling it out more broadly. The service is currently available only for consumer accounts.
Anyone with a personal Google Account can sign up for it.
The only requirement is that they need Chrome to sign up because it is the only browser that currently supports the U2F universal second factor standard for Security Keys, Google’s Salice said. Users will also need to buy their own U2F compatible USB device and BLE dongle.