Government officials and journalists who use Google services were the first to be invited to use advanced Gmail account security services announced Tuesday. Experts say it’s no security panacea, but tools provided under the Google banner called Advanced Protection empower any private Google users with top-notch security.
The Advanced Protection offering consists of three tiers of protection for those who might need it, such as campaign workers and journalists, Google said Tuesday. Google explains it’s these types of Google account users who are targeted most aggressively by adversaries interested in compromising communications or hacking into accounts to steal sensitive data.
Features include hardware-based two-factor authentication (requiring two physical security keys), limiting full access of a user’s Gmail and Drive to specific apps and requiring extra steps during the Google account recovery process.
“Third-party apps that want access to Gmail or Drive will no longer have permission. For secure access, you will need to use the Gmail app or Inbox by Gmail,” Google explains. “You will only be able to use the Chrome browser to access signed-in services like Gmail or Photos.” Google also explained a set of unspecified steps would be required of anyone who loses access to their account accidentally to prevent a hacker from hijacking the account. “These added verification requirements will take a few days to restore access to your account,” Google said.
“We call this Podesta-proofing your Google account,” said Joseph Hall, chief technologist at the Center for Democracy and Technology, referring to the attack against Hillary Clinton’s campaign manager John Podesta’s personal Gmail account during the last election.
“In addition to the John Podestas of the world, activists, victims of domestic abuse and billionaires are just a few of the people who will be able to benefit from this technology,” Hall said. “Anyone targeted by a nation state or a highly motivated attacker can really benefit from this technology.”
Currently the service is open to personal Google account holders, but requires two Bluetooth or USB hardware-based security keys to turn on the service. The free Advanced Protection is not available for commercial G Suite account users.
Google calls the offering an “unusual step” to protect “an overlooked minority of our users that are at particularly high risk of targeted online attacks… Advanced Protection provides Google’s strongest security, designed for those who are at an elevated risk of attack and are willing to trade off a bit of convenience for more protection of their personal Google Accounts.”
Experts warn turning on the advanced protection won’t be for the faint of heart and will place strict limits on how a Google account interacts with other services online and within the context of mobile devices such as tablets and phones. “Lose your password and you may risk never regaining access to your account again,” Hall said.
“I’m encouraged to see Google bringing some of the advanced threat protections from their business products to the select consumer communities,” said Allen Falcon, CEO of solution provider Cumulus Global.
Falcon said what Google is offering are services available as part of its existing G Suite licenses or as paid add-on services running on the Google Cloud Platform. “As such, it is a comparable add-on to those available with other cloud services. The Security Key enforcement replaces texted keys with a physical key that must be present,” he said.
On the downside, experts point out, Google’s Advanced Protection does not support encrypted email with this offering. However, G Suite Enterprise, at $25 monthly, does supports the use of encryption keys.
For Google this solves a big problem, said Eric Hodge, director of consulting, CyberScout. He said that for the past six months Google has slowly had the confidence of its services slowly undermined by phishing attacks.
“We are seeing a record number of attacks where people are being tricked into authenticating to fake Google pages,” Hodge said.
Earlier this summer, Google said it has disabled offending accounts involved in a widespread spree of phishing emails impersonating Google Docs. The emails targeted journalists primarily and attempted to trick victims into granting the malicious application permission to access the user’s Google account.
“What Google is doing is going to be effective. It’s going to be expensive and hard to manage at scale,” Hodge said. “It’s also going to be a real pain for users who are going to have to carry around a little piece of hardware to access their Gmail account. But I guess if you’re John Podesta, or someone like him, you’re going to want to use one of these advanced tools.”
Google did not indicate when or if the service would be opened up to a larger portion of its user base.