Advanced Protection Program: How has Google improved security?

Google recently introduced their new Advanced Protection Program, which is designed to improve security around Google accounts. What features does the program offer, and what threats does it address?

Google created the Advanced Protection Program after noticing that particular individuals were being targeted by malicious actors.

The Advanced Protection Program is designed to create a more restrictive way for users to access their accounts and deter unauthorized access from occurring. By utilizing this multifactor authentication method, limiting the ability for third-party access and adding a more stringent form of account recovery, Google increased the security of those users that need to secure their accounts at all costs. This is particularly useful for targeted users who work with sensitive data, such as journalists, and those who rely on security over convenience.

First, Google introduced another method of multifactor authentication by using a security key to validate that the user is actually in front of the system when access is being requested. This key has to use the FIDO standard to authenticate the user to the device, and is something like a USB YubiKey for a desktop or the Feitian MultiPass Bluetooth tool for a mobile device. The second factor authenticates a user to the device without having to use text messages or other authenticator apps. The key also only works for accounts that have signed up to work with FIDO, and phishing is reduced, as other sites won't have the proper keys configured.

Overall, APP is taking the approach that if Google does not code the applications, then it doesn't trust them -- this also goes for any browsers outside of Chrome.

Second, accounts set up with the Advanced Protection Program are not able to use third-party apps to access Google accounts -- meaning your favorite third-party mail or calendar app won't work on your mobile phone or desktop. Overall, APP is taking the approach that if Google does not code the applications, then it doesn't trust them -- this also goes for any browsers outside of Chrome. If the applications accessing a Google account aren't natively created by Google, then you won't be able to access your accounts on Google's platform, as the company is focusing account security access on software it can manage and protect.

Lastly, Google added additional restrictions to recover accounts that might have lost their keys. However, this doesn't happen right away, and it will take days to restore access back to the account, but this is a helpful feature for users who might have malicious actors looking to gain access to their account. The delay should be enough to let legitimate users know an attacker is attempting to gain access to their account.

Google has done a great job in creating this service, and users that are willing to give up convenience for security in their Google accounts should look into it -- this isn't for everyone, and it is designed for users who are actively targeted by malicious actors looking to compromise their accounts.

Two-factor authentication options would probably be better for the everyday Google account user, but for those that want an extra layer of protection with less accessibility when accessing their Google accounts, then the Advanced Protection Program is a good choice.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)