IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Why and how I enrolled in Google’s Advanced Protection Program

Physical security keys are at the heart of the company’s efforts to protect high-profile targets

The Google what now? It sounds like something that a dark TV thriller might be built around, but actually it’s a cool way of upping the security surrounding your Google account. 

Google says its Advanced Protection Program (APP) “safeguards the personal Google Accounts of anyone at risk of targeted attacks – like journalists, activists, business leaders, and political campaign teams”. Until recently, I never considered myself a prime target for threat actors. Sure, I’ve been writing about cybersecurity for decades now and have a high profile – but only amongst geeks and readers of the various, admittedly a little geeky, publications my words appear in. 

Then I became a high-profile security writer and everything changed. All of a sudden I was much more in the public gaze with all that brings, good and bad. That bad has undoubtedly included more attention being paid to the security of my own online accounts. My web pages, so my firewall logs inform me, are under pretty constant attack from all the usual suspects in terms of country and attack types. I employ the best defences I can, of course, including two-factor authentication (2FA) everywhere it’s available. 

The one account that, despite using app-based 2FA, has always concerned me the most is Google. After all, get into your Google account and if you use Gmail or Google Drive or, well, the list goes on, and the data on offer is like gold dust to an attacker. Then I was advised by Google, as working in an “at risk” occupation, to join the APP. So I did. 

So, what’s involved? Actually, it’s simple. APP pushes the whole 2FA thing one step further, requiring the user to use a physical security key. That can either be a Google Titan hardware key or a Yubico key (Titans are made by Yubico anyway) or the one in your Android phone. I opted for the former as I wanted a level of separation that took me away from the phone in my pocket. The key Google refers to is the one built into Android 7 and above devices; or, for users of an iPhone running iOS 10 or above, the one that becomes available with the Google Smart Lock app.

Obviously, the phone key is the easiest and cheapest route, and should be secure enough for most people. I’m not most people, though, and wanted the extra confidence that a hardware key brings. I opted for the Titan keys (you need two) rather than Yubico as I have already used those and wanted to see how easy the Google ones were to use. The answer? Very easy indeed. 

You need two both to provide a backup and to allow for wireless and USB usage depending on the device from which you need to authenticate your account. That means coughing up £50 for the pair, which is cheap if you consider how valuable access to your account really is. 

Once your keys are registered with Google and signed up with APP, your other second-factor authentication methods no longer work – which is a good thing, obviously. Nor, for that matter, do most third-party apps that require access to Gmail or Drive for some of their functionality. Oh, and you can only access Gmail or Photos using a Chrome or Firefox browser. All of which sounds like stink, but it’s the trade-off for better security and worth every bit of it in my opinion. APP only allows Google apps, and “select third-party apps” such as Apple Mail, Calendar and Contacts, or Mozilla Thunderbird, to access your emails and Drive files.

What you get is a much-hardened account, meaning one typical route to compromise is blocked: account reactivation. Google says: “If you ever lose access to your account and both of your security keys, these added verification requirements will take a few days to restore access to your account.” Again, a pain in the rectum, but a worthwhile one if you take your security seriously. Another pain is being signed out of your account and everything connected to it and having to sign in again on all devices using the keys. Again, worth the short-term hassle for the long-term gain. 

Seriously, go and take a look. Decide not if you need to sign up, but if you can afford not to

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Recommended

How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

30 Nov 2022
Android vs iOS: Which mobile OS is right for you?
Mobile

Android vs iOS: Which mobile OS is right for you?

30 Nov 2022
Google Cloud Platform now automatically detects highly common ransomware dropper
Cloud

Google Cloud Platform now automatically detects highly common ransomware dropper

21 Nov 2022
Google agrees record $391.5m settlement in US digital tracking case
privacy

Google agrees record $391.5m settlement in US digital tracking case

15 Nov 2022

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Why Japan finds it so hard to digitally transform
digital transformation

Why Japan finds it so hard to digitally transform

1 Dec 2022