Google’s Maximum Email Security: Will Users Trade Inconvenience for Safety?
The “much smaller set” of people Google reckons will adopt its new Advanced Protection Program (APP) actually covers a rather wide swath, ranging from election campaign staffers to journalists to business leaders to those who want maximum security in Google’s services. The common denominator among all is a profile that may expose them as easier, solitary targets to exploit. Come to think of it, that may define each of us at some point.
But for now, Google figures that even security-aware individuals can be victimized by phishing scams aimed directly at them. The program isn’t for everyone, Google readily admits, even though the vendor has cooked up what it’s calling its “strongest security,” banking on a security key — a small USB or wireless device that uses public-key cryptography and digital signatures to prove you are really you.
(Note: As part of the enrollment process, you’ll need two keys: A Bluetooth for your phone, tablet and/or PC) and a USB for your PC.)
The catch is users must be willing to relinquish some convenience to know that their personal Google accounts are walled off from phishing attacks. But will they? While the program’s lock down security feature is a strong selling point, who knows if toting around yet another thing will be worth it to users. After all, worrying about where you put your security key and your house/car keys may be a bit much to ask. On the other hand, perhaps someone will design a special clip to attach one to the other.
Still, Google is going with safety over ease. “Sometimes even the most careful and security-minded users are successfully attacked through phishing scams, especially if those phishing scams were individually targeted at the user in question,” Dario Salice, the program’s product manager, wrote in a blog post. “We’ll continually update the security of your account to meet emerging threats—meaning Advanced Protection will always use the strongest defenses that Google has to offer.”
As for the program’s mechanics, signing on to your Google accounts with the stepped up security will require more than an email address and a password — the APP is multi-factor authentication retooled. Thus, should a hacker manage to pilfer your login information, not having your security key will neutralize the attack. And, Google has baked in a layer of “additional reviews and requests for more details” designed to thwart an impostor pretending to be locked out of your account.
In addition to the security key, there was another important issue that interested Google engineers in crafting the APP: It restricts third-party apps from accessing Gmail or Google Drive, shielding people from accidentally approving malicious access to their data. The vendor said it may expand access beyond its own apps at some point. For now, the APP is only available for consumer Google Accounts, and you have to sign up through Google Chrome because it supports the U2F standard for security keys. Google expects that in time other browsers will accommodate the platform, Salice said.
Two last things: We’d be remiss if we didn’t point out that Bloomberg first reported on the program at the end of last month. And, while there’s no mistaking the APP comes in response to the high-profile Gmail attacks that framed last year’s presidential election, Google didn’t gloss over its utility to a broad audience.