As rumored late last month, Google today announced its “Advanced Protection Program” to protect personal Google Accounts of “those most at risk of targeted attacks—like journalists, business leaders, and political campaign teams.” The central defense is a physical Security Key that replaces other forms of two-factor authentication (2FA).
Considering the Advanced Protection Program an “unusual step,” it is intended for the overlooked minority of users who are at particularly high risk of targeted online attacks:
For example, these might be campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety. Sometimes even the most careful and security-minded users are successfully attacked through phishing scams, especially if those phishing scams were individually targeted at the user in question.
Google notes that the Advanced Protection Program isn’t for everyone, with the company recognizing that users will be trading “a bit of convenience for more protection of their personal Google Accounts.”
At the moment, Google’s “strongest security” is composed of three aspects:
- Physical Security Key: To guard against phishing, a physical Security Key will be required every time you log into a device. This will replace and disable other forms of authentication like SMS and the Google Authenticator app.
- Limit data access and sharing: Third-party apps will no longer have access to Gmail or Drive, with email only available through Gmail or Inbox clients. Due to iOS apps not supporting Security Keys, Google notes that the Apple Mail, Contacts, and Calendar apps will not work, with users being forwarded to the first-party apps on iOS. Meanwhile, Google services that require a sign-in, like Photos, will only be available through Chrome.
- Blocking fraudulent account access: The last measure is designed to counter impersonators who claim to be locked out of their account. Google notes “extra steps,” like additional reviews and request for more details, in place during the account recovery process. This process will “take a few days.”
Google will add more security measures in the future, with those in the Advanced Protection Program being the first to receive new features:
Once you enroll in Advanced Protection, we’ll continually update the security of your account to meet emerging threats—meaning Advanced Protection will always use the strongest defenses that Google has to offer.
The program is open to anybody with a personal Google Account, though users will need to have a Physical Key, as well as Chrome for sign-up. Meanwhile, G Suite accounts already have “comparable protections.”