Modernizing Authentication — What It Takes to Transform Secure Access
Google users with personal, non-G Suite accounts, can now enroll in the company's Advanced Protection Program enabling them to add extra layers of security to the data contained in their accounts.
The first line of defense, apart from username and password pairs, is multi-factor authentication. "Advanced Protection requires the use of Security Keys to sign into your account. Security Keys are small USB or wireless devices and have long been considered the most secure version of 2-Step Verification, and the best protection against phishing," explained Dario Salice, Advanced Protection product manager at Google, in blog post.
"They use public-key cryptography and digital signatures to prove to Google that it's really you," Salice continued. "An attacker who doesn't have your Security Key is automatically blocked, even if they have your password."
Once Advanced Protection is enabled, it only allows specific apps to gain full access to Gmail and Drive. It's a move Google claims will help prevent malicious apps from leaking user data. Currently, those specific apps happen to be made by Google, but other integrations are in the works.https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
Advanced Protection also thwarts account takeover attempts made by attackers posing as users who have been locked out of their accounts. The account recovery process includes additional reviews and users will be asked to furnish more details about an account lockout to block impersonators.
Google Advanced Protection is available now but users must sign up for the service using Chrome, a limitation Google chalks up to its support for the U2F (Universal 2nd Factor) standard. Google expects other browser makers to follow suit, opening the service to more users.
For organizations using G Suite, Google suggests that administrators check out the OAuth apps whitelisting and Security Key Enforcement features for similar protections.
Other ways Google is helping keep users and their data safe during Cybersecurity Awareness Month (October), is with an updated Security Checkup feature that is tailored to each user. Additionally, Google is adding new predictive phishing protection capabilities that help users avoid getting scammed by malicious sites that quickly sprout up before they are detected by the company's Safe Browsing web-scanning technology.
"From our years of experience detecting phishing sites, Safe Browsing's insights can now enable us to make predictions about risks in real time. We're using this knowledge to test new predictive phishing protections in Chrome," said Google product managers Yafit Becher and Emily Schechter, in a separate blog post.
"Soon, when you type your Google account password into a suspected phishing site, we'll add additional protections to ensure your account isn't compromised," protections that will follow users if they later use different browsers, added the Google staffers.