How to secure your accounts with Google’s Advanced Protection Program


Nov 10th, 2017

Google released something unusual last month called Advanced Protection Program. The basic idea of this program is pretty simple, using physical security keys to act as second step verification of your G-mail account. And obviously, all of the Google applications including YouTube are covered by this program. Feitian is really honored to be involved. Then how to secure your accounts with Google’s Advanced Protection Program? How does the security key work? Feitian invites its technical support engineer Ivan Yuan to test with the two security keys: Feitian ePass FIDO and Feitian MultiPass FIDO. Here’s a brief introduction from him.

“This is Ivan from Feitian. I’m pleased to test this program. Google says its Advanced Protection Program provides the strongest security for people who care about security the most. If you are, you may follow me and have a look at how it works and how secure it is”.

Firstly, let me take a look at what Google says about the Advanced Protection at https://landing.google.com/advancedprotection/

In case you guys lack time reading it, I have summarized some major points about Google's introduction:
- Working on personal accounts and it is especially for journalists, activists, business leaders, and political campaign teams.
- It will need 2 security keys (One for back-up), and you need to buy them from 3rd party vendors.
- Limit data access to 3rd party apps. Example, using outlook to sync your G-mail account.
Click "Get Started" to enable the Advanced Protection if there are no further questions.

Google has made a very friendly guide for users to enable this protection and to register 2 security keys. Also, the guide has proper links to the site where the users can find the recommended security keys. Please note that the security keys in the guide are just a recommendation. Google Advanced Protection is using FIDO U2F technology. This standard is open and widely used by a lot of applications. Many vendors provide FIDO security keys. You can choose whatever brand of FIDO U2F security key to use in this Advanced Protection.


* The security keys I’m using today are Feitian ePass FIDO and MultiPass FIDO


After getting the two security keys, just follow the guide and add 2 security keys on your PC. Nothing tricky.One thing that may need to be mentioned is that it seems Google does not allow security key registration from mobile devices. Which means that you have to register from your PC and then you can use it on your mobile phones. Oh, one last remind, Google Chrome browser is needed.

     

Google has been using security key in 2-step verification for quite some time. And I am also using security key on my personal Google account. So here I am wondering how do the Advanced Protection Program deal with my old keys which are already registered with my account. And the result is, enabling the advanced protection will remove ALL OF the 2-step verification methods you were using before in this account. You can no longer log in to the account by using SMS OTP, Google Authenticator, Voice OTP call or E-mail. And the security keys you were using before will also be removed (You do can register your old keys again though).

This clearing is a little bit surprising but on the other hand, makes me feel pretty good. Having multiple measures for verification definitely offers better user experiences, as users can always find a way to log in their accounts. However, from the security perspective, this also means giving hackers more possibilities to access your accounts. It is well known that one-time password is not a very strong verification method as opposed to security key. Now you see the problem, the option of using OTP will always low the security level of your account no matter what other methods you have enabled. Hackers can always choose to use OTP to log in.

This problem got solved in Advanced Protection as you can only use security keys for the 2-step verification.

Google accounts can be accessed by so many applications from different platforms. The next step for this test is to find out whether an Advanced Protection enabled account can be used smoothly in different platforms without unexpected errors or vulnerable methods that can avoid the verification.

Android:
There is no doubt that Android should have the best compatibility on Google account as they are from the same family. It is impressive that you do not need to install anything on your Android phone to use security keys to log into your Google account. All of the needed functions are available in Google Play.

The test result shows that Google did a nice job on Android. I tried to log in my G-mail account from G-mail app and browser. They both automatically called and jumped to Google Play and force you to verify with the security keys.

     

Most of the mobile phones have Bluetooth. You can always use the Google recommended Feitian MultiPass FIDO security key to verify over your Android phone with Bluetooth. The first time you will need to pair the security key with your phone.

          

          

And if your phone has an NFC sensor, you can also choose to tap the security key to NFC sensor to pass the verification. For me, as I am a super lazy person, I prefer to user NFC. Tap and done, very handy.

     

iPhone:
Here is the interesting part. We all know that Apple often goes its own way. So I am very curious how iOS supports the Google Advanced Protection.
I tried the same thing I did in Android and I found that we need to download an application called “Smart Lock” in iOS to accomplish the security key 2-step verification. This “Smart Lock” works like Google Play in Android. Google application will call it when 2-step verification is needed. One tricky part you may find is the Bluetooth pairing. iOS does not support NFC, Bluetooth is the only way for using the security key. However, the Bluetooth security is not detectable in iOS Bluetooth scanning page. The correct way for pairing this security key is using “Smart Lock”. The figures below will help you better understand the flow.

                    

               

Conclusion:
The Google Advanced Protection Program certainly increased the security of protected Google account to a very high level. As Google said, a niche group of people will love it. However, cybersecurity will finally be an issue for everyone. The security key is mandatory in this Advanced Protection Program, but the Program is not mandatory for every Google account.
Common users tend to care more about experience than security, which is not expected from the security perspective. Google’s next target should be setting a stronger guide and letting more users try and be protected by this program.

About the compatibility and user experience, nothing to complain, it works smoothly for mobile platforms. A little issue though, I would like to have more user notifications, especially on the Bluetooth pairing in iOS.

Click HERE to get user manual

Click HERE to get all SDK and datasheet