Google Improves Account Security With “Advanced Protection”

Megalith · Oct 17, 2017

Google is announcing Advanced Protection, which requires the use of Security Keys to sign into your account. Security Keys are small USB or wireless devices and have long been considered the most secure version of 2-Step Verification, and the best protection against phishing. They use public-key cryptography and digital signatures to prove to Google that it’s really you. An attacker who doesn’t have your Security Key is automatically blocked, even if they have your password.

Anyone with a personal Google Account can enroll in Advanced Protection. Today, you’ll need Chrome to sign up for Advanced Protection because it supports the U2F standard for Security Keys. We expect other browsers to incorporate this soon. For now, Advanced Protection is only available for consumer Google Accounts. To provide comparable protections on G Suite Accounts, G Suite admins can look into Security Key Enforcement and OAuth apps whitelisting.

Sycraft · Oct 17, 2017

Announcing? They've supported this forever. I setup a Yubikey as a 2nd factor with Google in 2016. Works great.

Sikkyu · Oct 17, 2017

not new

Jim Kim · Oct 17, 2017

https://www.theregister.co.uk/2017/10/16/chrome_for_windows_malware/
Chrome for Windows has its own antivirus
ESET scanning engine now built in – plus other defenses

_l_ · Oct 17, 2017

can we get super advanced protection for the advanced protection?

PhaseII · Oct 17, 2017

_l_ said:
can we get super advanced protection for the advanced protection?

Pieter3dnow · Oct 17, 2017

_l_ said:
can we get super advanced protection for the advanced protection?

It depends for every thing you add for security the more options are available to hack it

The USB option close to the physical version of PGP ?

_l_ · Oct 17, 2017

PhaseII said:
View attachment 40043

LOL, perfect

Seventyfive · Oct 17, 2017

I use the VIP access app from Symantec as my key which is pretty convenient since i have the code ready when I login. If I had to wait for a text every time, there's no way i'm doing it.

mullet · Oct 17, 2017

HAHAH google and security in the same sentence.

likeman · Oct 29, 2017

the issue currently with default password recovery is that it relies on SMS/call or email as a 1 factor password recovery for one time token generation (both witch can be compromised especially the SMS option witch can be extremely easy to redirect SMS due to the SS7 hack, and the email token could technically be intercepted), if you want to change your password but dont know it, but still have access to account via phone Yes/no feature still works as proof you own the account

yes i can delete the email and number from the recovery but then it becomes nearly impossible to recovery the account if you don't know what questions to answer to to make them believe you are the owner, the below options

google needs a 2 more options for recovery one been a static account recovery code (like MS but make it more resistant to been reset by a hijacker, say 30 day reset delay) and a 4th option been a Yubikey USB type Token option (again should not be able to remove/replace it for 30 days once requested)

for normal use the Yes/no and Authenticator works well (only issue at the moment is you cant use Security Key and Google prompt at the same time)

Google Improves Account Security With “Advanced Protection”

Megalith

24-bit/48kHz

Sycraft

Supreme [H]ardness

Sikkyu

I Question Reality

Jim Kim

2[H]4U

_l_

[H]ard|Gawd

PhaseII

Limp Gawd

Pieter3dnow

Supreme [H]ardness

_l_

[H]ard|Gawd

Seventyfive

[H]ard|Gawd

mullet

[H]ard|Gawd

likeman

Gawd