X
CNET logo Why You Can Trust CNET

Our expert, award-winning staff selects the products we cover and rigorously researches and tests our top picks. If you buy through our links, we may get a commission. Reviews ethics statement

Google Advanced Protection Program: How to lock down your account

Google takes aim at "targeted" online attacks. Here's everything you need to know about the new security option -- including whether you should use it.

Rick Broida Senior Editor
Rick Broida is the author of numerous books and thousands of reviews, features and blog posts. He writes CNET's popular Cheapskate blog and co-hosts Protocol 1: A Travelers Podcast (about the TV show Travelers). He lives in Michigan, where he previously owned two escape rooms (chronicled in the ebook "I Was a Middle-Aged Zombie").
Rick Broida
3 min read
google-advanced-protection-program

Google's Advanced Protection Program relies in part on physical security keys -- which you'll need to purchase.

Google

It's natural to be feeling a little nervous about online security these days, what with nonstop reports of new ransomware, password thefts, Equifax breaches and Wi-Fi vulnerabilities (namely KRACK).

There's another security risk, too: targeted attacks. That's when hackers go after the accounts of business leaders, politicians, journalists and other folks in the public eye.

Thankfully, Google just introduced a new system designed to safeguard users against such attacks: the Advanced Protection Program. Let's take a look at the APP: what it does, how to use it and who needs it.

What does the Advanced Protection Program do?

The APP focuses on three key areas. First, it utilizes a physical security key to help protect you against phishing sites. Second, it limits third-party access to your Google emails and files. Third, it blocks fraudulent account access, the idea being to prevent hackers from pretending to be you. It does this by using physics security keys on top of your usual username and password sign-in. 

What's a security key?

yubikey-fido

A USB security key like this one is the cornerstone of Google's Advanced Protection Program.

Yubikey

It's a dongle, either Bluetooth or USB. All you do is plug it in (or connect it) and push a button; that's how you prove to Google that it's you signing into your account. This actually bypasses other methods like phone-based two-step verification.

As part of the enrollment process for APP, you'll need two keys: one Bluetooth (for your phone, tablet and/or PC) and one USB (just for PC). Google recommends the Feitian MultiPass Fido security key (currently sold out at Amazon and unavailable from Feitian proper, so it's an odd choice) and the Yubikey Fido U2F USB security key (currently $17.99 at Amazon).

If you already own two compatible keys, you don't have to buy these.

How does a security key prevent phishing?

Hackers can work around (and capture) two-step verification codes by setting up phishing sites that masquerade as Google sites. With a security key, however, you can't sign into a site that's not legitimate, because the key works only with sites that are known.

How hard is it to use the Advanced Protection Program?

It's not hard to use, but there's definitely a bit of added hassle. The most obvious one: You'll need your physical security key whenever you want to sign into a Google app or site. If you lose the key, it could take a few days to regain access to your account.

What's more, the limited-account-access setting means that you'll have to forgo using certain third-party apps -- specifically those that require access to Gmail and/or Google Drive. iPhone and iPad users in particular, take note: Apple Mail, Contacts and Calendar won't work under the APP; you'll have to switch to Google's equivalent apps.

What's more, if you're an Edge, Firefox or Opera user, you'll no longer be able to use that browser to sign into the various Google services; using the APP means using Chrome, at least for the Google stuff.

Should I use the APP?

The key word in "targeted attacks" is, of course, "targeted." If you're a private citizen, you're less likely to get hacked than the aforementioned "at risk" individuals. Therefore, the APP might be overkill for you. But other than the price of two security keys, there's no cost to using it, and therefore no harm in trying it.

That said, if you're not particularly tech-savvy, I strongly advise hiring a security expert to help you set things up. As noted above, you may encounter obstacles accessing certain essential third-party sites and services -- and if you don't know what you're doing, even something as simple as unenrolling from the APP could prove challenging.

The Advanced Protection Program isn't for me; what other steps can I take to protect my account?

One of your best options is to enable two-step verification, which relies on an authenticator app or SMS text messages to validate your identity. (Even that's not foolproof, though, and in fact CNET recommends the former, as SMS has been shown to be a less-secure option.)

Beyond that, the usual rules apply: Use a different password for every site. Use a password manager to generate and manage your passwords. Use a VPN when connecting to public Wi-Fi networks. To paraphrase the old saying: The price of online security is eternal vigilance.