Google launches “strongest security” opt-in program for high risk users

Google has today launched a free, opt-in program aimed at users who believe their Google accounts — such as Gmail, Drive, YouTube etc — to be at particularly high risk of targeted online attacks.

The Advanced Protection program currently consists of the three main elements: defending Gmail and Google account users against phishing attacks by requiring 2FA via a token generated by a hardware security key; locking down the risk of malicious applications grabbing sensitive data by automatically limiting full access to Gmail and Drive to just Google apps (for now); and reducing the risk of hackers gaining access to a Gmail account via impersonation by adding more steps to the account recovery process.

Safe to say, this is greater security via reduced convenience. And is being billed as most definitely not for everyone — but rather for a small minority of users at “elevated risk” of targeted hacking.

Google cites examples such as political campaign staff working to get their candidate elected or journalists whose job is to handle sensitive information.

Last year the hacking of Democratic campaigner John Podesta’s emails shone a massive spotlight on the risks of sensitive email accounts being hacked — as the contents of the emails were picked over in public and undoubtedly shaped the narrative of the US presidential election campaign. (While earlier this year it was also revealed that hackers had targeted French president’s Emmanuel Macron’s staffers’ email accounts — with emails leaked on the eve of that poll.)

“We took this unusual step because there is an overlooked minority of our users that are at particularly high risk of targeted online attacks. For example, these might be campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety. Sometimes even the most careful and security-minded users are successfully attacked through phishing scams, especially if those phishing scams were individually targeted at the user in question,” Google writes.

Enrolling in the program is open to anyone with a Google account. Though currently sign up requires using Google’s Chrome browser because Google says it supports the U2F standard for Security Keys. “We expect other browsers to incorporate this soon,” Google adds.

People wanting to opt into locking down the risk of their Gmail email being breached will also need to purchase (or own) two compatible hardware security keys.

Google notes it’s been testing the program for a few weeks — with beta testers including Andrew Ford Lyons, a technologist at Internews, an international nonprofit organization that works to support the development of media outlets worldwide.

“Journalists, human rights defenders, environment campaigners and civil society activists working on any number of sensitive issues can quickly find themselves targeted by well-resourced and highly capable adversaries,” said Ford Lyons in a statement. “For those whose work may cause their profile to become more visible, setting this up could be seen as an essential preventative step.”

It’s certainly a welcome step from Google. The only question is what took them so long?

You can sign up for the Advanced Protection program here.