Background
Everything requires an email. Hopefully, you already know about strong passphrases-- if you've ever forgotten a password it's usually pretty easy to reset it right?.. and that's the problem with email. If your email is hacked, all your email is accessible. Think about everything that you get emailed, bank documents, bills, government documents, social profiles, and of course friends and family correspondence.
Email is your digital achilles heel, it's a one-stop-shop to take over your identity. Not only is there a lifetime of data there (all those old emails), but it's really easy to take over any other account you have through a simple password reset, once your email is hacked.
To Hack Or Not To Hack
Hacking a bank is pretty hard and very risky. Hacking an email is much more simple and a lot less risky. Once the email is hacked, it's pretty easy to simply reset passwords for accounts to gain access... no hacking of those accounts is required.
I have 2FA (two-factor authentication on my bank, they still need to hack that!
Well, most people have their cell phones registered to their email. Once your email is hacked, it's pretty trivial to gain access and do a SIM swap (move your phone number to a new phone you don't control) to receive those 2FA text messages. Most of that "secret" info is readily available on the 'dark web' today too... your SSN (socal security number) is probably well known to most of the dark world.
If you use a 2FA app, it's a little more difficult to gain access to accounts, however, if your email gets hacked... life is still quite painful until you get everything straightened out again.
I'm Not New To 2FA (Also WTF Is 2FA⁉️)
WTF IS 2FA! It's authentication using 2 or more methods of authincitation, typically: something you have (physicial security key, text message, authenticator app), something you know (password or passphrase), something you are (finger print, eye scan, voice print)
But I already use 2FA on my email?.. That's great! Google Advanced Protect makes your account even MORE secure in that case. If you're using SMS codes, you're still at risk of a SIM swap hack. If you're using an app, you're in better shape, but if you lose or have your phone stolen, you're at risk.
By using security keys and advanced protect you have much better security, with a lot less risk and only a little hassle.
Hacker Proof - Google Advanced Protection
Quick note: you can use 2FA physical security keys (read below) without using Google Advanced Protection, though there are some great benefits of Advanced Protection.
It's the most secure method of access for your Google Account and Gmail.
In addition to requiring physical security keys, it locks down 3rd party integration (think of it as extreme vetting), as well as makes it much more difficult to regain access to your account. There's not calling Google and removing 2FA because you lost your phone.
If your email is hacked, all your email is accessible. Think about everything that you get emailed, bank documents, bills, government documents, social profiles, and of course friends and family correspondence.
The downside is it can make access more cumbersome and it might break some of the 3rd party services that use Google for authentication "sign in with Google."
Physical Keys Security Keys
YubiKey USB/NFC (top) & USBC (bottom)
It's the digital equivalent to a standard key. It's a physical device that either generates a code (expensive) or something that interfaces with your computer (or phone), via Bluetooth, NFC, or USB. Google doesn't support code generators, however physical keys are fairly inexpensive, and you'll need two (in case one stops working or is lost).
Google makes security keys you can purchase, or you can use a 3rd party such as YubiKey. YubiKey tends to support other sites and devices then Google's keys, so I'd recommend them. There are a few different competing standards... maybe I'll do a deeper dive in the future.
The simplest kind is USB. They'll plug into a USB port on your device.
Bluetooth keys will work wirelessly with Bluetooth. The device you're using needs to support Bluetooth AND the protocol the key uses, just having Bluetooth doesn't guarantee it'll work with your device. A lot of people also tend to think they're less secure than physical keys. Unless you have extreme needs (you likely know this already), they're probably fine if you want to go that route.
NFC is another wireless technology that requires (generally) closer proximity than Bluetooth. It's a little newer and was designed with security in mind. Most 'tap to swipe' credit cards use NFC for example. Some folks also have concerns about these, but again, unless you have a highly unlikely edge case, they're probably just fine for you-- assuming you have compatible devices.
3rd Party Accounts Might Go Away
When you enable Advanced Protection, signing into your account becomes more secure. This can break 3rd party services. If you own a Ruku for example, you might not be able to sign in to the YouTube app on it. I run Windows, macOS, iOS or Android you're probably fine assuming you're up to date. The same goes for Chrome or ChromeOS.
(Recently Google fixed this on iOS, read more here)
I personally haven't noticed much breaking. I primarily use Google services through the web or on my iPhone. For edge cases Ruku for example, I just don't sign in.
Account Recovery Becomes More Difficult
If you lose both your keys or forget your password, regaining access to your account is much more difficult. It'll require "additional verification" and will likely take days.
Wait, Who Is This For?
Google states:
The Advanced Protection Program safeguards the personal Google Accounts of anyone at risk of targeted attacks – like journalists, activists, business leaders, and political campaign teams.
https://landing.google.com/advancedprotection/
So why am I recommending this? Mostly for the phishing protection. You can use physical security keys without enabling Advanced Protection, however, you're still vulnerable to phishing. Someone could trick you into revealing your credentials or persuade Google to give them access pretending to be you. While admittedly, this is less common, phishing is still very difficult to protect against, which is why it'll take days to regain access to your account under Advanced Protection, Google wants to make sure it's actually you and not someone posing as you.
I'd also argue if you're going to use physical security keys, taking the jump into Advanced Protection is a tiny step with a tiny bit of inconvenience with a large payoff.
If you do decide to use YubiKey, they have a great search tool to find supported software. It might go without saying, but hopefully, you're already using a password manager; a physical security key makes an excellent 2FA for that.
Final Thoughts & Opinions
- Don't use SMS "text message" 2FA if possible. It's really easy to get SIM swapped and have your number ported to a new phone. Use a dedicated authenticator app if at all possible
- Use a dedicated security key as the best option, make sure to have two keys as register them both in case you lose one
- At a minimum, any 2FA is going to be better than just password alone
- At a minimum, add 2FA to your email
About the author:
Andrew lives in Portland, OR and has worked in tech for over 15 years. With a foundation in philosophy, political theory, and communications, he is an avid thinker & tinkerer, constantly learning and exploring the world around us.
Originally published on andrewjneumann.com and is best viewed in person. Support | About Andrew | About Site | Feedback| Newsletter
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License © 2019.
Posted from my blog with SteemPress : https://andrewjneumann.com/make-your-google-account-gmail-hacker-proof-google-advanced-protection/