What was it like enabling Google Advanced Protection?
tldr; Boring.. it was really boring.
It's the 27th of January, 2018. And yes, I've just signed into Google's Advanced Protection.. let's see how this goes.
Fast-forward to now.. March
I think the only hurdle was that apparently I had signed into YouTube on the TV. I don't even really remember doing that. Apart from that, this hadn't changed my usage of my gmail account (which I effectively live out of) at all. Oh, and the OS X native integration (which apparently I'd turned on to use the native calendar?) also stopped working.
I should probably provide some context. For those that don't know, Advanced Protection is an optional security configuration for your Google account that does a few things. First and foremost, it requires the use of hardware 2FA to sign in, no more SMS or Authenticator (aka: time-based one-time-pins) 2FA logins. The only reason I actually did this is because during the Enigma conference, Google were handing out these rad little kits which included the following:
- Bluetooth, USB (with cable) and NFC dongle
- USB-A, NFC dongle
So after having a chat with the mostly bored Google engineer behind the counter, I grabbed a kit and went on my way. A week or so later, I sat down with my devices and got cracking. Now, your mileage may vary, especially if you have old, or non-Google devices. My setup is fairly conducive to Advanced Protection, namely:
- Google Android Pixel 2 phone
- MacBook Pro (personal and work), running the Chrome browser
- A Samsung ChromeBook (the same as from this great blog on the $169 development Chromebook blog)
The other key controls that Advanced Protection enables include:
- You can only sign in to Google services, like Gmail, Photos, and Drive, from Chrome OS or the Chrome Browser
- Third party apps that want to access your Gmail or Drive will no longer work
- iOS Apple Mail, Contacts and Calendar apps do not currently support hardware keys, and currently won't work
- Restoring your account if you get locked out can take longer (apparently)
The dongles themselves must adhere to the FIDO Universal Second Factor (U2F) protocol, but apart from that you can choose any, including those from Yubico. The two that came with the Google kit include the: Feitian MultiPass FIDO Security Key and the YubiKey NEO (or something very similar).
When Google first released (see blog) this feature it was primarily targeted at a small subset of users. Particularly those that they deemed at higher risk, such as campaign staffers, journalists, CEOs etc. I definitely don't fit into that demographic, but considering how much I depend on their services, the extra layer has been a great relief without any detrimental impact.
During the conference Google actually presented about the adoption of 2FA, and other facets of their authentication systems. I was somewhat surprised at how low their adoption was of 2FA (Less than 10% of active Google accounts use it). So, I expect that the number of people using Advanced Protection to be incredibly small. I'm also wondering of the other people that use it, how many have disabled it again, or whether their experience is similar to mine.
Given some recent research by my good bud @antisnatchor on Phishing YubiKeys would I still recommend this? Sure, why not.
So, want to check it out? Buy yourself some keys and head over to https://landing.google.com/advancedprotection/.