Are you a high-risk user whose Google account hackers might want to target? If you are, how much hassle would you put up with to make your account more secure?
These are questions Google is inviting its users to ask themselves with the announcement of the Advanced Protection Program (APP), a reassuring but also potentially awkward way to add extra layers of security to Google accounts.
Available from this week, it’s free to all consumer Google account holders, but before you rush off to sign up let’s dig a little deeper into what is on offer because the downsides won’t be for everyone.
First, APP’s target user base, which includes:
Campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety.
Human rights defenders, environment campaigners and civil society activists working on any number of sensitive issues.
To that could be added high net-worth individuals, VIPs and perhaps politicians and company management using a Google account in a personal capacity (see the infamous attack on the DNC’s John Podesta in 2016).
It first dawned on Google that some users faced a higher risk than others in 2010 when it went public on the aggressive Aurora attacks conducted on its Chinese users by an unnamed nation state that everybody twigged must be China itself.
Google has tried to contain targeted attacks by introducing security protections such as two-step and multi-factor authentication, and HTTPS connections by default, as well as gradually limiting attachment behaviour in Gmail.
Google thinks this is no longer enough and has launched APP with three new protections.
The first is mandating that users authenticate themselves using a hardware token such as the FIDO U2F YubiKey. Other authentication methods (including backup codes and SMS) will no longer work.
These cost a reasonable $18 (£15), but users will also have to buy an additional Bluetooth token (another $25 perhaps) to authenticate from smartphones lacking a USB port. That’s two keys to look after and you can’t lose either without incurring a temporary loss of account access.
It’s not clear whether these will be needed for every authentication, but if they are that will mean users can’t allowlist access from a regularly-used device and will have to plug in a key for every login, from every device.
The extra security of using a token means that attackers who successfully steal your user name and password can’t access your account, even if they also steal the device you normally use to access that account.
Limiting app access
APP’s second defence is to constrain access to accounts from third-party apps, by which it means anything not made by Google. The risk these pose:
By giving permission, you might introduce vulnerabilities that could be used to access your personal data. For example, an app you trust could be exploited or impersonated.
Third-party apps will never be able to access Gmail, Google Drive or Google Photos, and using Chrome to access Google services will become mandatory. Anyone using iOS will have to use Google’s apps to access services.
This feature sounds straightforward enough but this will nix any website or service that either uses a Google account for authentication (or which needs access to it), for example WhatsApp, Dropbox, or the New York Times.
It’s not clear whether users will still be able to forward email to third-party accounts. In principle, there’s no reason why not although whether that’s a good idea for secure email is another matter.
Attackers sometimes try to gain access to an account by initiating a reset after pretending they’ve been locked out. As researchers have noted, this can happen in a number of ways. Under APP, additional checks will become necessary although it hasn’t yet specified what these will be.
The company has said “these added verification requirements will take a few days to restore access to your account,” which makes clear that users resetting credentials could be left without access for some time (including if they lose their tokens – see above).
The extra inconvenience APP adds to using a Google account will be more than worth it for some users. The lingering question is whether, in time, all regular Google users might end up being part of this group given the industrial scale of sophisticated attacks.
That said, users can already opt for a sort of halfway house between standard account security and what APP offers simply by turning on multi-factor verification, either using the Google Authenticator app or, better still, by enrolling a YubiKey. For most people, this might be the place to start dialling up security before tangling with the APP.