Google’s Advanced Threat Protection Program
A few days ago Google announced a new “Advanced Protection Program” which they advertise as follows:
“The Advanced Protection Program safeguards the personal Google Accounts of those most at risk of targeted attacks—like journalists, business leaders, and political campaign teams.”
While turning on this setting enables features such as limiting 3rd party access to Google applications such as Google Drive and Gmail and blocking fraudulent account access. We are going to focus on the requirement of using a physical Security Key. With Advanced Protection enabled to sign into your account you will be required to enter a password and register two separate physical security keys.
Now physical Security Keys are not new as Google has supported Universal Two Factor Authentication for some time. The two Security Key requirement is so that you have a primary key, and a backup one. Setting this up replaces the SMS OTP and Google Authenticator options.
Why would I use this program?
This program is targeted towards users who don’t mind carrying around a Security Key in order for a higher level of account security. This is particularly useful for users who are at particularly high risk of targeted attacks.
If you lose both of the security keys you registered there is no “forgot password” option to unlock your account and Google claims that the process for account recovery is far more stringent and labor-intensive.
Using your OnlyKey as a Security Key
Google specifies two security keys; Feitian MultiPass FIDO Security Key (bluetooth) and Yubico FIDO U2F Security Key, but these aren’t the only two devices that can be used.
Any U2F device will work including the OnlyKey. Below are the steps to enable the “Advanced Protection Program” using an OnlyKey.
- Plug in your OnlyKey and open the OnlyKey Configuration app.
- Enter your pin to unlock your OnlyKey.
- Choose an available slot to configure
- Enter Label (optional)
- Select U2F radio button
- Click Submit
- Next go to https://landing.google.com/advancedprotection/ and click “Get Started”
- Login to your Google account unless you are already logged in.
- The following screen has 3 steps. We will use our OnlyKey as one of the security keys and you can use any other U2F devices for the second key including another OnlyKey.
- To purchase an OnlyKey Color click HERE
- Click “I HAVE 2 SECURITY KEYS”
- Verify your account by entering your existing credentials.
- To register your OnlyKey click “Add Security Key”
- The windows to register your Security Key will open, click “NEXT”
- Press the button on the OnlyKey that you assigned the U2F function to. This will register your device.
- Enter a name for your Key and click “DONE”
- Repeat process for second Security Key using any U2F device including a second OnlyKey. After two Security Keys are registered click “CONTINUE”.
- Review the changes outline on the page and click “Turn On” to enable “Advanced Protection”. (You may have to validate your credentials one more time and reclick “TURN ON”
- Congratulations you now have Advanced Protection enabled protected by your OnlyKey!