Why won’t the password just go away? The silly pet names, movie titles or sports teams that many people punch in to get into their online accounts are a weak spot that hackers continue to puncture.
Yet passwords remain the primary way we log in to online accounts containing our personal and financial information. Google has a new pragmatic solution: Embrace the password, but lock it down with extra physical security.
The company this month released its Advanced Protection Program, which is meant to make stealing your password pointless. To use it, you’ll need two inexpensive physical keys to log in to your Google account on your computer and smartphone.
This way, even if hackers stole your password in a data breach or successfully phished for it, by tempting you to hand over your credentials on a fake login page, they couldn’t do anything unless they got their hands on the keys as well. And minimizing risk with minimal effort is a boon to anyone who cares about online security.
“I am a big fan of this,” said John Sabin, a former hacker for the National Security Agency. “It’s probably the easiest and most secure multifactor for the masses.”
The physical keys are an evolution of two-factor authentication, an extra security layer to ensure that your password is being entered by you. Google was one of the first companies to start offering two-factor authentication back in 2010, not long after it learned that it had been hacked by state-sponsored Chinese hackers.
After the attack, Google’s security team came up with a motto: “Never again.” The company later rolled out two-factor authentication for Google customers’ Gmail accounts. It involved text messaging a unique code to your phone that you must type in after entering your password in order to log in.
Unfortunately, those text messages can be hijacked. Last month, security researchers at Positive Technologies, a security firm, demonstrated how they could use vulnerabilities in the cellular network to intercept text messages for a set period of time.
The idea of Google’s Advanced Protection Program is to provide people with a physical device that is much harder to steal than a text message. Google is marketing the program as a tool for a tiny set of people who are at high risk of online attacks, like victims of stalking, dissidents inside authoritarian countries or journalists who need to protect their sources.
But why should extra-tough security benefit such a small group? Everyone should be able to enjoy stronger security.
So we tested Google’s Advanced Protection Program and vetted it with security researchers to see if the program could be used by the masses. The verdict: Many people should consider signing up for the security system and buying a pair of keys. But if you are married to some non-Google apps that are not yet compatible with the keys, you should wait and see if the program matures.
Setting Up Advanced Protection
Anyone with a Google account can sign up for the security program on Google’s Advanced Protection webpage. To get started, you will have to buy two physical keys for about $20 each. Google recommends buying one from Feitian and another from Yubico.
The keys, which look like thumb drives and can fit on your key chain, contain digital signatures that prove you are you. To set one up, you plug the key into a computer USB port, tap a button and name it. (The Feitian key wirelessly communicates with your smartphone to authenticate the login.) This process takes a few minutes.
On a computer and a smartphone, you need to log in with the key only once, and Google will remember the devices for future logins. That is more convenient than traditional two-factor authentication, which requires entering a unique code each time you log in.
But there are trade-offs. Google’s Advanced Protection cuts off all third-party access by default, allowing only applications that support its security keys. For the time being, that means only Google’s Gmail mail app, Google’s Backup and Sync app, and Google’s Chrome browser.
On an iPhone, for example, you will have to use Google’s Gmail or Inbox apps for email, and on a computer, you can use only the Chrome browser when signing in with a browser. So if you rely on Apple Mail to gain access to your Gmail on an iPhone, or if you use Microsoft Outlook for getting into Gmail on a PC, you’re out of luck. Google says its goal is to eventually allow third-party apps to work with the program, but it is also up to other companies to update their apps to support the keys.