Nobody welcomes the prospect of having our online accounts hacked. It's a pain in the neck resetting passwords, warning your contacts, and worrying about the prospect that your identity may be stolen.
But for some of us, the consequences of having our Gmail account compromised by state-sponsored hackers could be even more catastrophic and even life-threatening.
If keeping your account secure is that important and a much higher priority than just convenience, then you will no doubt welcome Google's announcement
this week that it is now offering an additional tier of security for its users - more secure than ever before.
Google's announcement makes clear who "Advanced Protection" is aimed at:
"...there is an overlooked minority of our users that are at particularly high risk of targeted online attacks. For example, these might be campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety. Sometimes even the most careful and security-minded users are successfully attacked through phishing scams, especially if those phishing scams were individually targeted at the user in question."
Political campaigners? Why, yes. Who can forget that in 2016, Hillary Clinton's presidential campaign manager John Podesta had his Gmail account compromised
through an unsophisticated phishing email.
If John Podesta had had a better secured account, it wouldn't have mattered that he entered his password on a bogus login page. And his entire email archive wouldn't have fallen into the hands of Russian hackers, who passed it onto WikiLeaks and who then made it available for anyone to scour through online.
And whether you agree that that hack influenced the U.S. presidential election or not, there is no doubt that it was a distraction for the Clinton campaign and hardly what they wanted to talk about to the American electorate.
Google knows, and hopefully others in sensitive positions like John Podesta also recognize, that tighter security is a must.
Right now, Google Advanced Protection consists of three main technologies to better defend high-risk accounts:
1. A physical security key.
Forget Google's regular two-step verification security feature. Every time you want to log into your account under Advanced Protection, you will need both your password and a physical security key. On desktops and laptops, the U2F (Universal 2nd Factor) security key can be plugged into a USB port to verify your identity. On smartphones, you'll need a security key that works with U2F and Bluetooth Low Energy (BLE).
Existing Google authentication services like codes sent via SMS or the Google Authenticator app will no longer work.
2. Limit data access and sharing.
Advanced Protection will automatically limit third-party apps from accessing your most sensitive data – your emails and your Drive files. Read more below about precisely what this means.
3. Block fraudulent account access.
If you ever forget your account password or lose your security key, Google says it's going to make you jump through some hoops before your access is restored.
As Google describes it:
"To provide you with the strongest safeguards against this type of fraudulent account access, Advanced Protection adds extra steps to verify your identity. If you ever lose access to your account and both of your Security Keys, these added verification requirements will take a few days to restore access to your account."
Google is obviously playing its cards close to its chest about precisely what those "additional verification requirements" are, but those most at risk of targeted online attacks will presumably be relieved to hear that it will be more difficult for imposters to attempt to gain access.
All this additional security comes at a price, of course:
- You'll no longer be able to use third-party apps to access Gmail or Google Drive, which means you'll be waving goodbye to the likes of Thunderbird, Apple Mail, or Mailmate. Instead, you'll have to resort to using the web-based interface to Google's services via Chrome or the Gmail app or Inbox by Gmail. Google says it plans to widen the number of approved apps in time, but for now, there are no promises that your favourite email client will be on that list.
- If you're an iPhone user, you will need to get out of the habit of using the Apple Mail, Contacts, or Calendar apps, as they won't be able to access your Google data. Instead you'll need to switch to Google's equivalent apps.
- And forget about using anything other than the Chrome browser to sign-in to Google's online services.
I imagine that for many users, these restrictions will prove to be too much of a nuisance to see a widespread adoption of Google's new advanced protection feature. But if you are in one of those at-risk groups where the security of, say, your email or cloud-based drive service is paramount, then maybe this is an acceptable price to pay.
If you're a consumer user of Google's services, you can sign-up for Advanced Protection
The feature is currently unavailable for corporate G Suite accounts, although comparable protection is available to G Suite admins through Security Key Enforcement
and OAuth apps whitelisting
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.