Google Login Security for High-Risk Users

Google has a new login service for high-risk users. It's good, but unforgiving.

Logging in from a desktop will require a special USB key, while accessing your data from a mobile device will similarly require a Bluetooth dongle. All non-Google services and apps will be exiled from reaching into your Gmail or Google Drive. Google's malware scanners will use a more intensive process to quarantine and analyze incoming documents. And if you forget your password, or lose your hardware login keys, you'll have to jump through more hoops than ever to regain access, the better to foil any intruders who would abuse that process to circumvent all of Google's other safeguards.

It's called Advanced Protection.

Posted on October 30, 2017 at 12:23 PM • 42 Comments

Comments

PaulOctober 30, 2017 1:17 PM

Great - all that the rest of us need now is a similar app which stops all the Google services and apps from reaching into everything else in our lives!

Chris SyntichakisOctober 30, 2017 1:20 PM

Plus : access to google services while on this 'protection' is possible using chrome

ArghOctober 30, 2017 1:42 PM

Why, oh why, in this day and age, do throwaway social media services have orders of magnitude better protection against unauthorized use than do my bank or retirement accounts?

If I see one more financial service that caps password length at 16 characters and offers not even rudimentary 2FA, I'm going to scream.

ChrisOctober 30, 2017 2:31 PM

I checked out the link while signed into gmail. Instantly received an email about how to sign up for the feature. Requires purchase of a bluetooth and USB key with links to recommended ones on Amazon. I expect the named companies will see a nice boost in sales.

de La BoetieOctober 30, 2017 3:55 PM

Not sure this is that new, it's more an incremental improvement on the Fido U2F keys that have been in use on Google accounts for several years now, plus the Bluetooth for mobile and increased back-end protection.

It's a good idea, but do not agree that it should only be of interest to "high-risk" users. Anything that encourages the adoption of non-biometric 2FA is good, and U2F is one of the better prospects for privacy respecting 2FA. If this increases its adoption, good.

ArghOctober 30, 2017 4:10 PM

Speaking of which: one bank finally dips a toe in hardware 2FA, and wouldn't you know it, it's biometric and proprietary. One step forward, two back.

They do get props for maximum density of "®" and (TM) in one paragraph, though.

http://newsroom.bankofamerica.com/press-releases/consumer-banking/bank-america-expands-its-use-biometrics-intel-hardware-based-securit

"The new solution combines Intel® Online Connect and Intel® Software Guard Extensions (Intel® SGX) technology, available on 7th and 8th Generation Intel® CoreTM processors, with Bank of America's authentication ecosystem to provide an effortless experience that improves security over passwords."

jdgaltOctober 30, 2017 9:17 PM

I can't help thinking that any non-far-left person who uses this service risks losing all access to his data as soon as Google gets around to discriminating in all its services as it is now doing on Youtube.

We need lots of competition with every service Google and the other giants provide. And in the meantime we'd better resist any further mergers in the industry.

65535October 30, 2017 11:33 PM

I am not understanding the exact details about how this two factor logon works.

1] Does Google two factor authentication require a costly and proprietry USB key with a button?

2] Will your identity be track by business or banking transactions records?

3] Can a self-made USB key be used assuming one knows the correct FIDO codiing?

The cost part is a concern for two reasons. One, it is another expense and could require repurchase of USB keys when the original is worn out. Second, if credit cards are used to buy said key or doggle then your credit score along with your banking data could become involved. You could blow up your OPSEC.

Robert.WalterOctober 30, 2017 11:37 PM

Google needs to do one or the other, or both:

1. allow unlimited aliases to enter a common inbox without using a +xyz suffix before the @ symbol.

2. begin an outreach program to convince online entities to allow the use of a +xyz suffix.

ClipperOctober 31, 2017 12:04 AM

@Argh

All those Intel "features" will eventually be used to identify you on the internet, and Intel being a virtual monopoly there will be no "opt-out".

I really hope some alternative CPU manufacturer will rise over this with a privacy-respecting design, even if the product capabilities are a couple generations behind Intel the privacy gain will be worth it.

@jdgalt
Google will gradually become more and more restricting, right now here in the West we see with horor what the situation in China is with broad censoring of all internet services, but this will reach the West through Google. Their DOS against some sites lately was only the beginning.

And it's all happening because more and more people use Google services blindly without bothering for an alternative and then they get trapped inside Google ecospace. That's how a digital dictatorship starts.

Clive RobinsonOctober 31, 2017 5:57 AM

@ cliper, jdgault,

Google will gradually become more and more restricting, right now here in the West we see with horor what the situation in China is...

It will be worse than it is in China. The Chinese knew what their Government was upto long before the Internet became available to them. So in the majority they practiced caution from the get go.

In the West however many made the mistake of believing some stary eyed optomists who claimed that the Internet would route it's way around censorship. Thus the majority in the West will be lacking the caution they will need.

But if you think about the claims of interferance with the West's elections via the likes of Facebook Google and similar, you can hear faux arguments to insist that free speech be curtailed online. Then you hear the likes of Peter Thiel's Plantair and similar like Cambridge analytica claiming to have won various elections you have to start thinking who has most to gain and what is actually factual and what is counterfactual. Any governmental control of "social networking" will be for the purposes of propaganda, no if's, but's or maybe's.

The West has little or no freedom of the press as it's mostly owned by the likes of Rupert "the barefaced lier" Murdoch and their families. It can easily be seen that as life becomes more "online" a battle of wills between the old Media Baron's and the new Internet Barons will kick off. Basically the prize they seek is "influence" as would be "King Makers" for the West's Politicals.

The old Media Baron's have in comparison little ambition compared to the new Intetnet Barons who basically want full spectrum dominance not just in news, marketing and big data but also in manipulating opinion not just in politics but the general citizen as well.

As is used by terrorist organisations to create "disposable DNA" the key is "issolation" of those they seek to influance from "off message information". And it is precisely this "issolationist" policy the new Intetnet Baron's and the likes of the CIA and other parts of the MIC and certain other US agencies rely on to carry out their very undemocratic behaviour. This makes for a very unpleasent hegemony forming as their interests broadly interlock.

It's something very Orwellian that we have seen develop over the years. The likes of the CIA creating unrest and instability in other parts of the world, using propaganda to create new "scary monsters" then sending in the troops to supposadly "restor the peace" out of the chaos they created. The result is the US and some of it's Western alies bomb countries back into the stone age. In part to stop them gaining independence and in part as a warning to all other nations not to worship ay any other altar than that of "Uncle Sam" and thus pay the tithes and tribute demanded by the 1% of the 1% of the 1% to own not just all the assets in the US but as many as possible elsewhere so rents can be sort and payment enforced by legislation and thus the guard labour.

Such behaviour turns the idea of "Policing by Consent" on it's head just as much as it has turned the idea of "Military Defence" on it's head to be "Pretexted Offence".

Whilst as I noted a few days ago the US is not behaving as a "Rational Actor" except for the MIC profiteers. However some countries the US most vilify and certainly have on their "hit list" are behaving like "Rational Actors". By arming themselves against US belligerence as promulgated via propaganda as carried by the old Media Baron's and more recently the new Internet Baron's...

WinterOctober 31, 2017 7:20 AM

@Clive
"In the West however many made the mistake of believing some stary eyed optomists who claimed that the Internet would route it's way around censorship."

Censorship and surveillance are not questions of technology, but of policy.

The situation in China and Russia is bad, not because of the internet, but because these countries always have had a dictatorship with strongly enforced censorship. The "West" is not free because of technological hurdles in implementing censorship and surveillance, but because the political will was to keep their freedom.

That the situation has deteriorated in, e.g., the US and UK (among many others), is not caused by the internet, but by internal divisions and power struggles over the spoils of the economy. To have all economic growth end up in the pockets of the (super) wealthy, as has happened for the last 3 decades in the US (and 2 decades in Russia), some kind of force against the rest of the population is needed to keep them from claiming their slice of the pie.

Personally, I see the growth of these surveillance states and censorship as a process intended to support and protect the growing economic inequality. I would seek the solution not in any technological measures, but in political actions.

meOctober 31, 2017 7:37 AM

wired: "Locks Down Accounts Like Never Before"
me: not actualy... and... from whom? google read all your mails!

i'm using posteo since a few years and they offer 2FA, with yubikey or any hardware/software token if you want.
mail are encrypted, also with pgp as soon as they arrive if you want, and if you enable it they also don't send emails if can't establish a tls (secure) connection.
they don't read all your mails (while google does) and if you enable 2FA with yubikey instead of mobile phone there is no way to access your account.

a nice feature is that 2FA is on only from web mail but not from pop3/imap (which are default disabled).
so i can still use thunderbird (after enabling imap manually) and also enjoy 2FA with yubikey.

@Clipper i think yes.

@65535
1] if you don't use a mobile phone i think yes (which imho is worse than not having 2fa)

2] depends from how it is implemented, yubikey can make time based ont time password that are unique for each service, and also if you use u2f there is no way to track you (read their specifications)

3] i think yes, such programs exists for time based one time passwords and i think it can be made also with fido u2f

BillOctober 31, 2017 7:58 AM

The feature isn't exactly "unforgiving", it is appropriately strict. This feature is not for everyone, and many will have no need for this layer of extra security.

For those that do need it, it's a life-saver. Sometimes, saving actual lives.

PeteOctober 31, 2017 8:05 AM

You have to purchase the keys from Google? That's a non-starter. It is bad enough they demand that a phone be connected to accounts to use u2f.

I contacted github about their mandate for a cell phone connected to an account before u2f keys could be used. Nothing changed. Deaf people aren't allowed to use u2f?

wumpusOctober 31, 2017 8:53 AM

@Argh "Why, oh why, in this day and age, do throwaway social media services have orders of magnitude better protection against unauthorized use than do my bank or retirement accounts?"

To be honest, much of youtube's content is produced by individual users as their "day job" (although between reduced google payments and arbitrary banning, it looks like they are confident in their monopoly and are acting accordingly), who could lose their livelyhood with a single hack.

And while the youtuber should realize the danger and subscribe to the service, how many people have been fired or otherwise had their lives upended by stupid social media comments. One possible strategy against hacking is to simply apply for such a stupid social media account, lock it down with the best security available, and then simply never access the accounts again and lock up the yubikey.

Google might be overestimating their key customers. But banks have had strong internal security that has developed to counter whatever has developed over centuries. They've *never* needed to supply the same to customers and they know it.

CallMeLateForSupperOctober 31, 2017 9:56 AM

@Clipper
"Speaking about Google 2FA, isn't that what a Yubikey is about?"
@Larry

Google's original 2FA is the well-known procedure wherein Google sends you the 2nd factor via SMS. (Which is worthless to folks who don't "do" fartphone. Besides, sending 2nd factor *in*the*clear* AND via SMS is ... well, insecure riding on insecure.)

Google's "Advanced Protection" is 2FA too, except the 2nd factor is, essentially, a Yubikey.

HmmOctober 31, 2017 11:19 AM

"I can't help thinking that any non-far-left person who uses this service risks losing all access to his data as soon as Google gets around to discriminating in all its services as it is now doing on Youtube"

Bruce doesn't like political whining, but maybe this is just too insane to be political?

hmmOctober 31, 2017 11:25 AM

Don't like Google? Don't use Google. Simple solution.

Don't like anything that detracts from your bullsh*t counter-narrative bubble?

Then don't watch the news for the next 2 years or so, read a book, take a sabbatical.

If you think Google is censoring you, leave it alone dummy. The solution is simple.

It's not the world that's gone crazy, it's you. Google is a website, making $.

Nobody said you had to use it. Nobody.

de La BoetieOctober 31, 2017 2:00 PM

To clear up a few misunderstandings above:

Fido U2F usb dongles can be had for around $18 each or less - there are a few vendors providing them.

Yubikeys with only U2F functionality only are $18, but Yubico also do ones which include OTP (with app-level TOTP), and HMAC SHA-1 hashing against a secret, static passwords and smartcard/OpenPPG functionality - at $40-50.

The Google PC/browser approach requires just the U2F usb dongle (on Chrome), whereas the bluetooth one is for the mobile phone.

With one of the more functional Yubikeys, you can therefore login to any U2F enabled services, as well as have 2FA on Windows or Linux login, and 2FA on LastPass and Password Safe for example. Not bad for a passive small device, and hugely better than smartphone/SMS/biometric authentication.

It's my view that those latter ones are going to be used to pin financial liability onto mugs who sign up with them with their financial institutions.

rogerLOctober 31, 2017 8:12 PM

Bill:
> The feature isn't exactly "unforgiving", it is appropriately strict. This feature is not for everyone, and many will have no need for this layer of extra security.

You say "this layer", but the problem I have is that I'd have to enable multiple layers as an all-or-nothing deal. I'd love to enable something like this, but losing access via third-party apps (IMAP) makes it useless.

I want two-factor authentication, via some open standard and in a way that allows recovery (eg. paper-based backup in a safe deposit box, or split into several via secret-sharing). I want to disable password resets via unencrypted email or easily-guessable questions, because those things are always a bad idea for things you care about. Extra malware scanning is a decent feature on its own. How about Kerberos tickets for IMAP? Maybe per-key folder-based access restrictions? It would be cool to set up some filtering rules, maybe make my electric bill visible on all devices but not my personal correspondence.

What's "appropriate" is a question for the user, not the provider, so there needs to be more flexibility.

65535October 31, 2017 10:21 PM

@ me

"1] if you don't use a mobile phone i think yes (which imho is worse than not having 2fa)"

I see. And, I agree it is worse than not having 2FA.

Mobile phones blow your OPSEC if they are connected to any banking information [Long distance carriers tend to check credit scores before allowing customers to make expensive calls and so on]. Google could possibly know your credit score, gender, age, address, SSI number and so on. You could buy a debit card and a burner phone but that gets fairly complex after a while.

"2] depends from how it is implemented, yubikey can make time based one time password that are unique for each service, and also if you use u2f there is no way to track you (read their specifications)"

Hum, exactly how do you use yubikey and Google 2FA together?

"3] i think yes, such programs exists for time based one time passwords and i think it can be made also with fido u2f"

Are there any examples I could try?

[original q's]

1] Does Google two factor authentication require a costly and proprietary USB key with a button?

2] Will your identity be track by business or banking transactions records?

3] Can a self-made USB key be used assuming one knows the correct FIDO coding?

https://www.schneier.com/blog/archives/2017/10/google_log-in_s.html#c6763328

@ Clive Robinson

"It will be worse than it is in China. The Chinese knew what their Government was up to long before the Internet became available to them..."

That is a sad but true statement.

If you talk to any PRC individuals for any length of time they are cautious of saying anything against the state over the tele. They know it could cause trouble - such as being used for donor organs as an extreme example.

By contrast the west and its citizens are used to speaking their mind regardless of the position of the government. Most free western individuals never knew the extent of state surveillance until the NSA's documents were widely read and digested. For adults in the west it is a jarring lesson to learn that the government is monitoring mass amounts of communications daily. And, some western individuals will never understand it.

In some respects growing up in China or Russia was a better education than the "democracy's" in regards to becoming a target of the surveillance state. They know when to be silent or use code words and so on when on common communications systems and avoid getting on government black lists. Things have to change.

David HendersonNovember 1, 2017 2:27 AM

The fido USB devices look to be very practical. I have ordered a couple with NFC (near field communications) capability. The advantage of NFC is that it allows the same passwordsafe for PC's through the USB connection as well as the Android via NFC. Android/K9mail is supposed to work well with gnupg; I will find out if it plays well with the fido fob.

The fido device makes Android/gnupg practical using keys generated by the PC. I dont trust the Android stack to keep any secrets.

I got the cheapo version with 2048 RSA keylength restriction. Full lengh 4096 bit keylength devices are available, but this is just an experiment. $16 is pretty cheap for the one I ordered.

The relevance: google is supposed to support fido devices for email signon.

Matt from CTNovember 1, 2017 12:39 PM

>So in the majority they practiced caution from the get go.

Had a friend who taught English in China; a major reason why many Chinese seem "rude" by American standards is many generations learning to speak unambiguously, less their words be construed against them.

Witness how many people now get crucified online for any form of nuance, or even using real words.

A Connecticut state senator recently had to apologize for saying the word nigger in a talk about her previous work in removing books with racial epithets from elementary school libraries. We are becoming a society even Orwell could not imagine in its thoughtless approach to language.

China it seems, however, thought a lot about it and tries to keep everything they say simple and to the point.

MikeNovember 1, 2017 5:37 PM

@de La Boetie - Although Password Safe supports two-factor authentication (2FA) using Yubikey OTP / OATH-HOTP, it does not supprot the new U2F protocol, unfortunately.

MikeNovember 1, 2017 5:42 PM

@David Henderson - There are USB to micro-USB dongles available. I wonder if - using it - one could use the non-NFC version of Yubikey U2F on an Android device. Yes, it would mean carrying around a dongle. But to me, NFC is just another vector for attack. Also, there are smartphones - the lower end models - that do not have NFC.

MikeNovember 1, 2017 5:52 PM

@65535 -

1] Does Google two factor authentication require a costly and proprietry USB key with a button?

A. Short answer, no it does not. U2F is a relatively new protocol that is being used by major players such as Google, Facebook, Dropbox, and many others (which is great, because it therefore has a fighting chance at wide adoption). As an open protocol, it is, by definition, non-proprietary. Anyone can manufacture a key that abides by this protocol. Keys are NOT costly - Yubikey makes one you can get for about 18 bucks (the blue one), and there are other cheaper manufacturers.

2] Will your identity be track by business or banking transactions records?

A. Short answer - the question has nothing to do, one way or the other, with what U2F does. I suppose that corporate big brother could track that you bought a security key and are using it. For me, on the list of things to worry about, this would be way down the list.

3] Can a self-made USB key be used assuming one knows the correct FIDO codiing?

A. In theory, I suppose one could manufacture a USB security key using the U2F protocol. But doing so would in no way compromise the security of the protocol.

B. D. JohnsonNovember 2, 2017 12:15 AM

For those asking, none of these are really new options for Google's account security. The only new bits are offering it under one umbrella and the enhanced account recovery scrutiny.

Hardware-based 2FA has been an option for Google for years and unless there's something completely different under the hood, you don't actually need two separate hardware dongles. Yubikey, for example, makes a combined key that can be used for both USB and NFC for both desktop/laptop and mobile. If you get an adapter, you can also use the USB key on an Android cell phone since Android has, basically, a full standard USB stack.

I'm guessing that they're recommending a Bluetooth device over NFC simply because iOS doesn't like to play nice with NFC.

You could replicate the same security by getting one of those hardware keys and never allowing any third-party apps to access your account. This system is just a one-stop shop for high-priority accounts that have to stay secure for less-tech-savvy people.

de La BoetieNovember 2, 2017 6:13 AM

@mike - Password Safe uses the HMAC exchange rather than OTP (which is a good thing in that it doesn't need to be online).

It's distressing that U2F has such a glacial growth in the market when/because it has per-site credentials (and is therefore relatively privacy friendly). Perhaps this initiative will give it a bit of a nudge.

meNovember 2, 2017 8:15 AM

@65535
2] Hum, exactly how do you use yubikey and Google 2FA together?
i don't use google at all (duckduckgo+posteo), but what i wanted to say is that TOTP (time based one time password) is generated by time and a shared secret.
the secret is different for each provider and must be stored in the key/program (limited space), google can't track you because he can't know the secret, so if you are using one yubikey (or program) to log in multiple different websites that google tracks; google can't understand that you are the same person/using the same yubikey *from the totp*.
same apply for U2F (public key on the provider so unlimited space), google can't track you.

3] here list of programs (for TOTP 2FA, not u2f):
https://posteo.de/en/help/what-is-two-factor-authentication-and-how-do-i-set-it-up#requirements

here some details about u2f protocol:
https://developers.yubico.com/U2F/Protocol_details/Overview.html

ps i

TRXNovember 2, 2017 11:34 PM

If I had anything that needed to be that secure, I wouldn't be putting it on Google's servers...

ErnieNovember 3, 2017 9:31 AM

Isn't info safer in G than other services? Yes not safe from G bots but safe from external attack?

nanashiNovember 5, 2017 1:03 AM

@TRX
Security and privacy are different. It is absolutely true that Google provides some of the most secure services. They're the only email provider I know of which actually digitally signs all outgoing mail (that's one of the ways the most incriminating Clinton emails were verified). They're the only ones who have consistently used strong crypto, pushing better algorithms like ChaCha20 and even experimenting with post-quantum crypto for their services. They support great 2FA, and now "Advanced Protection", too.

Yes, they do read your emails. Yes, they will give it out to certain people when given a solid enough court order. If you are deciding whether or not to save some sensitive assets on Google services, you have to have a good idea of your own threat model. Who is your adversary? What are their resources? How sensitive is your data and how much will it damage you if it is compromised (in terms of Confidentiality, Integrity, and/or Availability)? All that is necessary to decide whether or not storing it on a Google service is a good idea. For some people it is a great idea. For others, they're handing their data to their adversary.

Is your adversary Google themselves, advertisement companies, or certain US-aligned governments with an effective track record for weaseling information out of companies? Then don't use Google! Is your adversary a "hacker" or group of hackers, an opportunistic information thief, a rival company, or a tech-savvy employer? Then you can and should trust your data to Google!

65535November 6, 2017 2:05 AM

@ Mike

"As an open protocol, it is, by definition, non-proprietary. Anyone can manufacture a key that abides by this protocol. Keys are NOT costly - Yubikey makes one you can get for about 18 bucks (the blue one), and there are other cheaper manufacturers."

That is a fair price... to some. I just bought a 32GB usb stick from Walmart for 5.00 dollars - blow out sale because it was USB2.0 not USB3.0. I was hoping to use it.

Will your identity be track by business or banking transactions records [short or long run]?

"I suppose that corporate big brother could track that you bought a security key and are using it."

Hum, I don't know if I like that. OPSEC is the easiest to blow but the hardest to repair.

"In theory, I suppose one could manufacture a USB security key using the U2F protocol. But doing so would in no way compromise the security of the protocol."
Good. That what I want to do with the 5 dollar USB stick.

@ B. D. Johnson

"You could replicate the same security by getting one of those hardware keys and never allowing any third-party apps to access your account."

Good. That is what I am looking for. Is there a blog with step by step instructions for said HW key? I would be willing to give it a go.

@ me

Thanks. Good links.

@ TRX

"If I had anything that needed to be that secure, I wouldn't be putting it on Google's servers..."

I agree. Would this recommendation also apply to high risk journalist?

@ nanashi

"Yes, they do read your emails. Yes, they will give it out to certain people when given a solid enough court order."

That is a valid statement.

I really wonder if Google will spill your data with their "partners" language in their TOS for the right amount of money.

alex pNovember 7, 2017 8:32 AM

I came across this several weeks ago myself. Bought the keys through Amazon.com. One key was shipped directly from China, SMH. My account was quickly secured and I was able to use both keys through either USB, NFC or Bluetooth to authenticate myself on my devices. First thing that happened is my laptop lost Google Drive. That is fine. Would have been nice if the app could use the key but I can still get to it through a browser. If only I could get my bank to use these keys too.

justina colmenaNovember 9, 2017 10:37 PM

I already use Google Authenticator. I have yet to be informed of the relationship between Alphabet, Inc. and Google LLC, the alleged creator of the "app" under some special-purpose entity intended to shield its parent company from any excess liability.

Somehow the "app" disappeared from my phone in an update, or else I removed it by mistake, but when I reinstalled it, I was still able to "authenticate" with it (as a 2nd factor of 2-factor) no problem.

The trouble with these "apps" — their hair is too short and they are definitely not military-grade. I would enunciate, pronounce the whole word, and call it an "application" if I were serious about it and not just playing around, if you know what I mean.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.