Thursday, December 6, 2018

About joining the Google Advanced Protection Program

I'm very cautious (and paranoid) about the security of my Google account. I constantly take drastic measures to minimise the risk of being the victim of social engineering and other related attacks.

There are a lot of the measures I take to ensure a minimal risk, one of which is: multi-factor authentication. I am an extremely strong advocate of multi-factor authentication and I believe that just having a 'password' will make any account highly vulnerable to attacks.

I have ditched server companies and closed many related financial-related accounts for not providing multi-factor authentication.

Around two years ago, I had made the decision to use a security key to secure my Google account. It was a huge security step I've taken. At that time, I shut down the ability to use my phone number as a two-step authentication method. I carried my security key everywhere around.

However, it was impossible to login to some apps like the Mail app on iOS and macOS (Because the security key works only with Google Chrome). So, I used to use recovery codes which I had generated before adding the security key.

However, the existence of those recovery codes at the end made me uncomfortable. Even, the ability to generate them had me confused. I wanted my Google account to be accessible only via Security Key.

Fast-forward two years later, Google has a program called: Google Advanced Protection Program. It does exactly what I wanted (with extra stuff as well). Here is a video which explains what the program is:

First, it would be impossible to login on a new computer without possession of the security keys. No backup multi-factor authentication or backup codes will be available.

Second, most non-Google apps won't be able to access Gmail and Drive data. There are thousands of apps on the iOS and Android store which request access to this data to accomplish one task or another (Such saving files to Google Drive or Managing Email). I will never be able to use my Google account on such apps. This might prevent me from accessing a lot of services and apps, but for me, the security is more valuable than the usability.

Third, I won't be able to use my account to login to apps which don't have two-factor authentication.

And, finally, if I lose access to both of my security keys, account recovery will take days to process. Google would need to verify a lot of data and a human-check needs to happen:

More importantly, as per confirmation email received, new security features will be added in the future to stay up-to-date:

Anyone can join this program, all you need to do is order a specific set of two security keys, for me those are the keys I bought:



Post a Comment