What it's like to live under the Google Advanced Protection Program

I am not what I'd call a Very Important Person. I still consider myself a journalist of sorts (and it's what's on my college degree), but I wouldn't say I practice it in the way I did back when I made newspapers. I also am neither an activist, business leader, or am on a political campaign team.

Am I really a candidate for Google's Advanced Protection Program? Do I really need the strongest account security Google offers publicly?

I'll answer that in a minute. But first, I'll define what I think I am these days: I'm approaching middle age while watching my daughters begin their online lives, and I'm as convinced as ever that the Internet is inherently backwards and broken, and we all need to take our online security more seriously. (That is, if we're thinking about it at all.)

The question you have to ask yourself is why wouldn't you want to protect your online life as best you can.

Two-factor security should be mandatory. If a service doesn't provide it, you probably shouldn't use that service. But all two-factor schemes are not created equal. One-time passwords sent by SMS can be intercepted by a determined attacker. Software-based tokens are better, but not infallible. Better, still, are physical hardware keys. A physical key that you plug into a computer via USB, or by NFC or Bluetooth, that you connect to an account. Don't have the key? You're not getting in.

This is all part of the FIDO Alliance — "the World's Largest Ecosystem for Standards-Based, Interoperable Authentication" — and U2F, the "Universal 2-Factor" experience born from FIDO. You can basically think of U2F and 2FA as the same thing, and FIDO is the group that makes the standard happen, with folks from Google, Microsoft, Lenovo and Amazon (among others) on its board.

Subscribe to Modern Dad on YouTube!

The basics of the Advanced Protection Program

Physical hardware keys have been around as a second form of authentication for years, and they've been an security option for Google accounts for quite some time.

Google's Advanced Protection Program makes them a mandatory mechanism for logging in, and it makes them the only 2FA option. You'll still have your Google password, and now you'll have to use a physical hardware key in conjunction with that password to access your account. No more SMS codes. No more Google Authenticator app. No phone calls. It's password-and-key, or you're not getting in.

It's that simple, really. But Google does go a bit further. You'll still be able to log in to websites with your Google account. But apps that can access Gmail or Google Drive files will be severely limited. Here's how Google puts it:

To help protect you, Advanced Protection allows only Google apps and select third-party apps to access your emails and Drive files.As a trade-off for this tightened security, the functionality of some of your apps may be affected. Most third-party apps that require access to your Gmail or Drive data, such as travel tracking apps, will no longer have permission. And you will only be able to use Chrome and Firefox to access your signed-in Google services like Gmail or Photos.Apple's Mail, Calendar, and Contacts apps will continue to be able to access your Google data as normal.

That'll probably be the biggest hurdle you'll face in day-to-day use.

Google also throws extra roadblocks in front of someone if they try to pretend that they're you and you're logged out of your account.

A common way that hackers try to access your account is by impersonating you and pretending they have been locked out of your account. To give you the strongest protection against this type of fraudulent account access, Advanced Protection adds extra steps to verify your identity during the account recovery process.If you ever lose access to your account and both of your Security Keys, these added verification requirements will take a few days to restore access to your account.

That's not one I've had to experience yet, but it doesn't sound like fun.

Authenticating with the Google Titan key

Most of us outside of a secure work environment won't have to use a physical key to authenticate very often, so it's more like an extremely strong method of protection.

What it's like to use Google Advanced Protection Program

First, hit up Google's Advanced Protection Program website. You'll be instructed to grab a couple of U2F keys. Previously Google recommended third-party keys, which are fine. But now that the Titan keys are available in the Google Store, it's just as easy to grab them. The way you use them will be exactly the same.

Once you have them, you'll actually enroll in the service. That'll turn on all the protections — and it'll also log you out of everything, for obvious reasons.

So, it's time to log back in. Or not. This is where things get a little interesting.

I now have to use Gmail in a web browser instead of in a wrapper like Mailplane or Shift. That's been a minor annoyance, but not really a showstopper. (Hell, it's one fewer app to be running in the background.) But it also means that Mac OS no longer has access to Gmail, either. That actually was a little surprising, given how well the Advanced Protection Program works with iOS via a helper "Smart Lock" app. Maybe it'll change at some point. But on the other hand I wouldn't trade Gmail in a browser for Apple's Mail app.

Google Smart Lock on the iPhone X

The Google Smartlock app on iPhone X.

Logging back into phones was easy enough. For that I used my Bluetooth/USB fob. The one I've had for a month or so now charges via microUSB, which is a little annoying. But, again, not a deal-breaker. If I want to use it with a phone, I connect via Bluetooth. If I want to use it with a computer, I plug it in. Easy enough. I've also used the Yubikey Neo, which is USB-A and has NFC built in, and it works great, too. Note that if you're using an iPhone, you'll need something with Bluetooth, at least until NFC is officially opened up in iOS 12.

Logging into a Pixelbook took all of 10 seconds. Type in my password, plug in a key and authenticate, and I'm up and running. (Though if you're really using a Chromebook and really using Advanced Protection you'll want to make sure you have other basic log-in security implemented, so someone can't just open the thing up and start using it. Same as any other laptop, really.)

The biggest hiccup for me has been with the NVIDIA Shield TV. (When you get logged out of everything, you get logged out of everything.) You'd think you'd be able to log into just like an Android phone. (Because it's an Android platform, after all.) But for whatever reason, it just doesn't work, same as if you tried to log in with some other untrusted third-party source.

Beyond that, things pretty much have been seamless. It's not like I have to log in to my account every day. (Though in some business environments, that's exactly what this physical key scheme is great for.)

If I do need to log in to a new device somewhere, I just have to make sure I have my key on me. So I keep one on my keys, and a backup in a safe place. (No, I'm not telling you where.)

By the way: You can un-enroll from the Google Advanced Protection Program if you just can't live with it. But I haven't felt that urge at all. Also, you can un-enroll keys from any service at any time -- you'll just have to remember which services you use a key with. (Or you can always just destroy a key if you're done with it.)

A smattering of U2F hardware keys

There's no single perfect key for everyone — it's very much going to depend on what devices you need to authenticate.

Which U2F key is best for Advanced Protection?

Here's where things really come down to your own situation. You can get a straight USB-A key. You can get a USB-C key. You can get a nano key (USB-A or USB-C) that lives in your laptop most of the time but doesn't get in the way (outside of taking up a port). You can get something with Bluetooth, or NFC.

You don't have to use Google's Titan Security Key if something else will work better for you.

(A note on that, though: The USB model of Google's Titan Security Key includes NFC, but it won't work at launch. That'll require a behind-the-scenes update on your phone. Other hardware keys handle NFC just fine, though, if you have to have it right this second.)

It all depends on just how often you need to log in to whatever it is you need to log in to, and the kind of device you're using. If your business requires daily authorization, but at a trusted computer (say, behind a bunch of locked doors), then maybe a USB-A nano key is the way to go. If, like me, you don't need to log in very often but still want everything Advanced Protection offers, something larger might not be awful. If you have a USB-C laptop and USB-C phone, well, that makes that decision even easier. It's going to vary depending on what you use.

And you don't necessarily need Google's Titan key, either. They function exactly the same as other U2F keys — only these have the might of Google behind them, controlling the firmware that's inside. (And that is a good selling point.) And unlike other keys, which can be manipulated by an IT department, the firmware is totally locked down. You'll be using these as Google intended.

So is Google's Advanced Protection Program the right thing for you?

That's one of those things that I can't answer for you.

The Advanced Protection Program is a little overkill, but it's also the right way to do security.

On one hand, I want to say yes, it is. I've found the tradeoff between security and annoyance to be minimal. It's not going to completely replace SMS codes and software-based tokens in any event, though it'd be nice if it did. The simple fact is not enough services use hardware keys. (And some only allow them as secondary 2FA methods.) Hit up twofactorauth.org to find out if your favorite service uses them.

And I'm really close to putting my daughter's account on it. (If I haven't already, because now that I'm writing this …)

I've had to help too many family members reclaim accounts before. It's just too easy to accidentally click on links that should never have been clicked. It happens to the best of us.

What we need is stronger back-end support to go along with the knowledge that the internet is backwards and broken and we have to be more vigilant.

Google Advanced Protection gives that support.

It's just up to us to use it. And I'm not turning it off.

  • "What it's like to live under the Google Advanced Protection Program" Like living In a 1984ish world.....
  • Kind of the opposite really... This is designed to keep prying eyes at bay, not allow "big brother" easy access to your stuff. There's a lot wrong with the world, and a lot wrong with Google, but in that particular setting the people behind these particular services would be sitting in a steel chair in a small concrete sell screaming "do it to [name of significant other]!" while rats ate there eyeballs.
  • Google is big brother
  • Assuming that is true, what's your point as it relates to this? Also, it is a bit semantic, but 1984 is a film about governmental oppression... It's not a dystopia that's really analogous to the one that megacorps like Google are shoving us toward... I know, I'm being unnecessarily argumentative lol.
  • One could argue that Google Big Brother tendency is worse or on par with government Big Brother And I did use a qualifier 1984ish keyword ish
  • One could, but it would have absolutely nothing with what we're talking about here. Congrats on getting some attention, though.
  • Responding to the fuzzy.
    And how big was the sample size on this
  • What happens when you get a new phone or other device? But especially an Android phone and you are doing initial setup or restoring from a factory reset. I can (and have) used Authy. Previously, I had to disable 2FA temporarily and go through re-setting it up.
  • I was just thinking the same thing myself. It isn't made clear in the article. I would hope if you had the usb-c model and a usb-c phone it would be as simple as plugging it into the phone. Or if you have the NFC type, go through the set up process without logging into your Google account, turn NFC on, and then set up your account. It can't be that hard, and either of those two options sound easier than turning off 2FA on your account first.
  • Here's what happens: Type in your Google username. Type in your password. Authenticate via a hardware key. ... In the case of a phone, probably via Bluetooth or NFC. Either is just as easy. And that's it. You just have to make sure the key is with you.
  • Thanks!
  • This won't take off on a mass market consumer scale... It's troublesome enough getting people to use 2FA at all without adding hardware they have to buy and can readily lose into the mix... I doubt it'll even take off with techy types in the long term. The process seems a little too.... Clumsy.
  • The process is super easy. The hard part, actually, is getting services to use U2F — and getting them to use it right. Out of all the things I use, only Google and Dropbox fit that bill.
  • You may have inadvertently proven his point. If the services don't adopt 2FA and people are already averse to complicated passwords (because most IT departments still believe that you have to have capitals, lower case, symbols and numbers to be safe) and now they have to carry around something else, it just seems to be a futile effort. People already carry around dongles and PIV cards for 2FA now. They get lost or broken. While I agree that more security is better, I tend to agree that adoption will still be pretty low. There's a reason why after so many years the list of most common, do-not-use, password has changed very little. People are just generally lazy and some people should never even be allowed on a computer but they are told that they have to or they get left behind.
  • I didn't say I disagreed. :)
  • I'm curious to know what data google will be retrieving from these keys as well...
  • Ummmm, none, really? It's a public/private key thing, and it'll be the URL (and/or IP, I bet?) or the originating request.
  • What Phil said. These are not thumb drives.
  • Great article, Phil! I wish I could encourage more of my peers to use stronger methods of 2FA. I signed up for the APP shortly after it was announced. I use it for the account that serves as my recovery email for LastPass. Talk about peace of mind! It's really not that much of a pain. I'm an Android user and use Chrome as my primary browser, so it "just works". The APP certainly isn't for everyone, but it works as advertised and worth considering .
  • Thanks! It really has been easier than I expected.
  • Do the Google keys work with third party services that use, like your password manager or backup program? I know not all Yubikeys work with all services.
  • AFAIK, they should. It's basically just a U2F key with locked firmware. (Unlike Yubico, which allows some manipulation.)
  • Another vote for patching NVIDIA Shield... 👍
  • Just have patience. :)
  • Good article Phil. Too early this morning to get all involved in this - but yeah - I agree - a lot is going to be dependent on 3rd party apps being compatible. Or have Google create a portal app that all 3rd party apps can use. One that cannot be spoofed. ??? If it isn't user friendly, people are not going to use it. Except for the Nerdy...
  • I have one question. It's said in the article that it's more limited to third party applications accessing my Google account. Will this be an issue with logging into my account on, say, an Xbox for YouTube? Or should I have to simply re-sync with the system after setting it up?
  • Been a little while since I implemented it, but I think you should be OK? (YouTube shouldn't need access to mail or Drive, so that should be outside the blacklist?)
  • > You'll still be able to log in to websites with your Google account.
    This is patently *bad* idea -- maybe you should rethink the way you are using these websites instead of hardening your Google authentication... and, incidentally, you will feed Google less information about yourself. > I now have to use Gmail in a web browser instead of in a wrapper...
    Which means that every time you visit site with Google+ icon (like the one on the left of this page) it gets cross-referenced with the Google ID, you are currently logged into. I understand how Google benefits from it, I am not all that sure that you do and I know that I do not. Please, do not bother pointing me to Jerry's "Google collects data to provide better services" article -- I have read it and I, respectfully, disagree.
  • I suggest unplugging your computer, too.
  • Why can't you insert the Hardware Key into a phone like the pixel? Also I have the Endomondo fitness app that connects to other apps via Google logon, so this means that to use this 2fa method the apps will no longer communicate ----is that correct?
  • Not necessarily. Depends on the permissions it has.