Think politicians and officials, high net-worth individuals, activists, dissidents, and journalists.
Google’s ‘Advanced Protection’
Locks Down Accounts Like Never Before
When it comes to the eternal tradeoff between digital security and convenience, most tech firms focus their efforts on the vast majority of people who choose a painless user experience over a paranoid one. But Google is adding a set of features specifically targeted at those who prefer the latter. You can now lock down your account to a degree that no other major tech firm has ever offered directly to users, convenience be damned.
On Tuesday, Google announced the launch of a new “advanced protection” setting for Google accounts, which makes it harder than ever for hackers to break into your sensitive data on Gmail, Google Drive, YouTube or any other Google property. The opt-in, ultra-secure mode is intended for truly high-risk users, including those who face the threat of state-sponsored, highly resourced cyberespionage. Think politicians and officials, high net-worth individuals, activists, dissidents, and journalists.
As such, it’s a strict and unforgiving system, designed to reinforce every possible weak link that hackers could use to hijack your account. Logging in from a desktop will require a special USB key, while accessing your data from a mobile device will similarly require a Bluetooth dongle. All non-Google services and apps will be exiled from reaching into your Gmail or Google Drive. Google’s malware scanners will use a more intensive process to quarantine and analyze incoming documents. And if you forget your password, or lose your hardware login keys, you’ll have to jump through more hoops than ever to regain access, the better to foil any intruders who would abuse that process to circumvent all of Google’s other safeguards.
“This is basically an extremely heavy-duty way of locking down an account,” says Joseph Lorenzo Hall, the chief technologist for the Center for Democracy and Technology. “Even for people with very limited technology chops, this is a way for them to have an extremely protected profile.”
The Advanced Protection rollout comes in the wake of a series of sophisticated hacking campaigns that have targeted Gmail and focused on the accounts of journalists, activists, and political opponents of the Russian government. Most public of those was the Kremlin-backed intrusion that hit the Gmail account of Hillary Clinton campaign manager John Podesta and led to WikiLeaks trickling out his emails for weeks, with far-reaching political reverberations.
“There is an overlooked minority of our users that are at particularly high risk of targeted online attacks,” reads a blog post about the new feature from Google’s security team. “For example, these might be campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety.”
Or, as CDT’s Hall puts it, “If John Podesta had been able to turn this on sometime last year, the world might be a very different place.”
Of all its tightened security measures, Advanced Protection’s biggest day-to-day change for most users will likely be its requirement that they use a physical piece of hardware with every login. Users will have to buy their own so-called Universal Second Factor or U2F keys—one USB key for their desktop that costs around $20, and one Bluetooth-LE-enabled key for mobile that’s closer to $25. Google says it supports any keys approved by the FIDO Alliance, a group that manages identity and authentication protocols.
Those devices represent a significant step up from the purely digital two-factor authentication that has become the Silicon Valley standard. That added layer of protection sends temporary login codes to users via SMS, or generates them with a smartphone app like Google Authenticator. Requiring a U2F token instead of that code makes impersonating a user far more difficult. Unlike one-time codes, those tokens can’t be intercepted on the carrier network, or obtained by hacking someone’s smartphone. More importantly, the hardware-enabled login isn’t vulnerable to phishing sites that spoof Google’s login page, and then use a stolen code and password to immediately hijack the user’s account. The U2F key performs its own authentication step with Google’s site to check it’s legit, and only then supplies a key that logs the user in with no need to type a code.
Google has supported those U2F keys for the last three years. But Advanced Protection uses a stricter implementation than Google has offered in the past: Only those physical keys—along with a password—will unlock your account. If you lose them, you can’t use a printed out backup code in your wallet, or ask for one to be sent to you. Instead, you’ll have to go through an account recovery process that Google says will be far more stringent and labor-intensive than the one used for normal users when they click “forgot password?”
Google hasn’t shared the details of what that process entails. But the CDT’s Hall, whom Google briefed on the details, says it will include a “cooling-off” period that will lock the account for a period of time while the user proves his or her identity via several other factors. That slowed-down, intensive check is designed to make the account-recovery process a far less appealing backdoor into victims’ data.
Account recovery purgatory isn’t the only user-experience sacrifice Advanced Protection requires. At launch, it only works when you visit Google properties in Chrome. It delays the receipt of attachments and other files by roughly 60 seconds, as it performs a more-rigorous-than-usual scan for malware. And it bans all non-Google apps from accessing your Gmail or Google account, blocking you from exporting your email into any other software like the iOS mail client, Outlook, or Thunderbird.
Hall says all of that means Google needs to communicate clearly to users that Advanced Protection’s security requires a real change in their habits—namely keeping very careful track of two physical slices of silicon—but that its draconian restrictions will reap worthwhile security gains. “If this results in people getting locked out of important accounts all the time, it won’t be used very much,” he warns. “The messaging around this has to be really clear that once you turn it on, it’s a real ‘thou shall not pass.'”
In exchange for those inconveniences, Advanced Protection would in theory protect against some of the most insidious recent attacks on Gmail. The relatively convincing phishing scheme that hooked John Podesta almost certainly would have failed. And even a more clever scheme, like the Google Docs phishing emails last May that tricked users into installing a third-party application that hijacked their accounts, might be stymied; Advanced Protection’s restrictions on non-Google software’s access to Gmail would have prevented it.
All of that means Advanced Protection offers a powerful new bargain for those who truly need it. Your retired uncle whose hacked account has been sent you spam intermittently for years may find the cure worse than the disease. But if having your email penetrated represents a career or even life-ending event, protecting it is probably worth carrying a couple more keys in your pocket.